YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Make sure to validate/upgrade that we don't have any active weak certificate used by nginx at the beginning of the buster migration, otherwise nginx will later miserably fail to start

Browse source
This commit is contained in:
Alexandre Aubin 2020-06-29 22:04:04 +02:00
parent ac9182d69f
commit d435889776
3 changed files with 42 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
data/hooks/conf_regen/02-ssl
View file

@ -69,12 +69,11 @@ do_init_regen() {
-out "${ssl_dir}/certs/yunohost_crt.pem" \ -out "${ssl_dir}/certs/yunohost_crt.pem" \
-batch >>$LOGFILE 2>&1 -batch >>$LOGFILE 2>&1
last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
chmod 640 "${ssl_dir}/certs/yunohost_key.pem" chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
chmod 640 "$last_cert" chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"
cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key" cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
cp "$last_cert" "$ynh_crt" cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
fi fi

1
locales/en.json
View file

@ -479,6 +479,7 @@
"migration_0015_modified_files": "Please note that the following files were found to be manually modified and might be overwritten following the upgrade: {manually_modified_files}", "migration_0015_modified_files": "Please note that the following files were found to be manually modified and might be overwritten following the upgrade: {manually_modified_files}",
"migration_0015_specific_upgrade": "Starting upgrade of system packages that needs to be upgrade independently…", "migration_0015_specific_upgrade": "Starting upgrade of system packages that needs to be upgrade independently…",
"migration_0015_cleaning_up": "Cleaning up cache and packages not useful anymore…", "migration_0015_cleaning_up": "Cleaning up cache and packages not useful anymore…",
"migration_0015_weak_certs": "The following certificates were found to still use weak signature algorithms and have to be upgraded to be compatible with the next version of nginx: {certs}",
"migrations_already_ran": "Those migrations are already done: {ids}", "migrations_already_ran": "Those migrations are already done: {ids}",
"migrations_cant_reach_migration_file": "Could not access migrations files at the path '%s'", "migrations_cant_reach_migration_file": "Could not access migrations files at the path '%s'",
"migrations_dependencies_not_satisfied": "Run these migrations: '{dependencies_id}', before migration {id}.", "migrations_dependencies_not_satisfied": "Run these migrations: '{dependencies_id}', before migration {id}.",

39
src/yunohost/data_migrations/0015_migrate_to_buster.py
View file

@ -16,6 +16,7 @@ from yunohost.utils.packages import get_ynh_package_version, _list_upgradable_ap
logger = getActionLogger('yunohost.migration') logger = getActionLogger('yunohost.migration')
class MyMigration(Migration): class MyMigration(Migration):
"Upgrade the system to Debian Buster and Yunohost 4.x" "Upgrade the system to Debian Buster and Yunohost 4.x"
@ -28,6 +29,13 @@ class MyMigration(Migration):
logger.info(m18n.n("migration_0015_start")) logger.info(m18n.n("migration_0015_start"))
#
# Make sure certificates do not use weak signature hash algorithms (md5, sha1)
# otherwise nginx will later refuse to start which result in
# catastrophic situation
#
self.validate_and_upgrade_cert_if_necessary()
# #
# Patch sources.list # Patch sources.list
# #
@ -203,3 +211,34 @@ class MyMigration(Migration):
logger.debug("Running: %s" % cmd) logger.debug("Running: %s" % cmd)
call_async_output(cmd, callbacks, shell=True) call_async_output(cmd, callbacks, shell=True)
def validate_and_upgrade_cert_if_necessary(self):
active_certs = set(check_output("grep -roh '/.*crt.pem' /etc/nginx/").strip().split("\n"))
cmd = "LC_ALL=C openssl x509 -in %s -text -noout | grep -i 'Signature Algorithm:' | awk '{print $3}' | uniq"
default_crt = '/etc/yunohost/certs/yunohost.org/crt.pem'
default_key = '/etc/yunohost/certs/yunohost.org/key.pem'
default_signature = check_output(cmd % default_crt).strip() if default_crt in active_certs else None
if default_signature is not None and (default_signature.startswith("md5") or default_signature.startswith("sha1")):
logger.warning("%s is using a pretty old certificate incompatible with newer versions of nginx ... attempting to regenerate a fresh one" % default_crt)
os.system("mv %s %s.old" % (default_crt, default_crt))
os.system("mv %s %s.old" % (default_key, default_key))
ret = os.system("/usr/share/yunohost/hooks/conf_regen/02-ssl init")
if ret != 0 or not os.path.exists(default_crt):
logger.error("Upgrading the certificate failed ... reverting")
os.system("mv %s.old %s" % (default_crt, default_crt))
os.system("mv %s.old %s" % (default_key, default_key))
signatures = {cert: check_output(cmd % cert).strip() for cert in active_certs}
def cert_is_weak(cert):
sig = signatures[cert]
return sig.startswith("md5") or sig.startswith("sha1")
weak_certs = [cert for cert in signatures.keys() if cert_is_weak(cert)]
if weak_certs:
raise YunohostError("migration_0015_weak_certs", certs=", ".join(weak_certs))