[fix] prevent firefox to mix CA and server certificate

Fixes #1479: yunohost was using the exact same Distinguished Name for the CA certificate and the main domain server certificate. When creating alternate domain name, firefox thought the CA for this second domain was the server certificate for the first domain. As the key mismatches, Firefox raised a bad key usage error, which is not bypassable. To fix this, we "simply" need to make sure the DN for the CA is distinct for any other DN. I did so by adding a Organization to it, and I decided to just remove the last part of the domain and use that as an organization name. It is certainly possible to do something else, as long as we end up having a distinct DN. So yolo.test gives a yolo organization for instance. More info here https://bugzilla.mozilla.org/show_bug.cgi?id=1590217
2024-09-03 20:06:10 +02:00 · 2019-11-30 15:52:00 +01:00 · 2019-11-30 15:52:00 +01:00 · e0fa39ad01
commit e0fa39ad01
parent fea733ce31
1 changed files with 1 additions and 1 deletions
--- a/src/yunohost/tools.py
+++ b/src/yunohost/tools.py
@ -321,7 +321,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False,
        'touch %s/index.txt' % ssl_dir,
        'cp %s/openssl.cnf %s/openssl.ca.cnf' % (ssl_dir, ssl_dir),
        'sed -i s/yunohost.org/%s/g %s/openssl.ca.cnf ' % (domain, ssl_dir),
-        'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch' % (ssl_dir, ssl_dir, ssl_dir),
+        'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch -subj /CN=%s/O=%s' % (ssl_dir, ssl_dir, ssl_dir, domain, os.path.splitext(domain)[0]),
        'cp %s/ca/cacert.pem /etc/ssl/certs/ca-yunohost_crt.pem' % ssl_dir,
        'update-ca-certificates'
    ]