Make sure to validate/upgrade that we don't have any active weak certificate used by nginx at the beginning of the buster migration, otherwise nginx will later miserably fail to start

2024-09-03 20:06:10 +02:00 · 2020-06-29 22:04:04 +02:00 · 2020-06-29 22:04:04 +02:00 · d435889776
commit d435889776
parent ac9182d69f
3 changed files with 42 additions and 3 deletions
--- a/data/hooks/conf_regen/02-ssl
+++ b/data/hooks/conf_regen/02-ssl
@ -69,12 +69,11 @@ do_init_regen() {
        -out "${ssl_dir}/certs/yunohost_crt.pem" \
        -batch >>$LOGFILE 2>&1

-      last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
      chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
-      chmod 640 "$last_cert"
+      chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"

      cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
-      cp "$last_cert" "$ynh_crt"
+      cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
      ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
      ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
  fi
--- a/locales/en.json
+++ b/locales/en.json
@ -479,6 +479,7 @@
    "migration_0015_modified_files": "Please note that the following files were found to be manually modified and might be overwritten following the upgrade: {manually_modified_files}",
    "migration_0015_specific_upgrade": "Starting upgrade of system packages that needs to be upgrade independently…",
    "migration_0015_cleaning_up": "Cleaning up cache and packages not useful anymore…",
+    "migration_0015_weak_certs": "The following certificates were found to still use weak signature algorithms and have to be upgraded to be compatible with the next version of nginx: {certs}",
    "migrations_already_ran": "Those migrations are already done: {ids}",
    "migrations_cant_reach_migration_file": "Could not access migrations files at the path '%s'",
    "migrations_dependencies_not_satisfied": "Run these migrations: '{dependencies_id}', before migration {id}.",
--- a/src/yunohost/data_migrations/0015_migrate_to_buster.py
+++ b/src/yunohost/data_migrations/0015_migrate_to_buster.py
@ -16,6 +16,7 @@ from yunohost.utils.packages import get_ynh_package_version, _list_upgradable_ap

 logger = getActionLogger('yunohost.migration')

+
 class MyMigration(Migration):

    "Upgrade the system to Debian Buster and Yunohost 4.x"
@ -28,6 +29,13 @@ class MyMigration(Migration):

        logger.info(m18n.n("migration_0015_start"))

+        #
+        # Make sure certificates do not use weak signature hash algorithms (md5, sha1)
+        # otherwise nginx will later refuse to start which result in
+        # catastrophic situation
+        #
+        self.validate_and_upgrade_cert_if_necessary()
+
        #
        # Patch sources.list
        #
@ -203,3 +211,34 @@ class MyMigration(Migration):
        logger.debug("Running: %s" % cmd)

        call_async_output(cmd, callbacks, shell=True)
+
+    def validate_and_upgrade_cert_if_necessary(self):
+
+        active_certs = set(check_output("grep -roh '/.*crt.pem' /etc/nginx/").strip().split("\n"))
+
+        cmd = "LC_ALL=C openssl x509 -in %s -text -noout | grep -i 'Signature Algorithm:' | awk '{print $3}' | uniq"
+
+        default_crt = '/etc/yunohost/certs/yunohost.org/crt.pem'
+        default_key = '/etc/yunohost/certs/yunohost.org/key.pem'
+        default_signature = check_output(cmd % default_crt).strip() if default_crt in active_certs else None
+        if default_signature is not None and (default_signature.startswith("md5") or default_signature.startswith("sha1")):
+            logger.warning("%s is using a pretty old certificate incompatible with newer versions of nginx ... attempting to regenerate a fresh one" % default_crt)
+
+            os.system("mv %s %s.old" % (default_crt, default_crt))
+            os.system("mv %s %s.old" % (default_key, default_key))
+            ret = os.system("/usr/share/yunohost/hooks/conf_regen/02-ssl init")
+
+            if ret != 0 or not os.path.exists(default_crt):
+                logger.error("Upgrading the certificate failed ... reverting")
+                os.system("mv %s.old %s" % (default_crt, default_crt))
+                os.system("mv %s.old %s" % (default_key, default_key))
+
+        signatures = {cert: check_output(cmd % cert).strip() for cert in active_certs}
+
+        def cert_is_weak(cert):
+            sig = signatures[cert]
+            return sig.startswith("md5") or sig.startswith("sha1")
+
+        weak_certs = [cert for cert in signatures.keys() if cert_is_weak(cert)]
+        if weak_certs:
+            raise YunohostError("migration_0015_weak_certs", certs=", ".join(weak_certs))