From e0fa39ad01abd0b58c6db7c43c4081dcb934c2d6 Mon Sep 17 00:00:00 2001 From: Augustin Trancart Date: Sat, 30 Nov 2019 15:52:00 +0100 Subject: [PATCH] =?UTF-8?q?[fix]=20prevent=20firefox=20to=20mix=20CA=C2=A0?= =?UTF-8?q?and=20server=20certificate?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #1479: yunohost was using the exact same Distinguished Name for the CA certificate and the main domain server certificate. When creating alternate domain name, firefox thought the CA for this second domain was the server certificate for the first domain. As the key mismatches, Firefox raised a bad key usage error, which is not bypassable. To fix this, we "simply" need to make sure the DNĀ for the CA is distinct for any other DN. I did so by adding a Organization to it, and I decided to just remove the last part of the domain and use that as an organization name. It is certainly possible to do something else, as long as we end up having a distinct DN. So yolo.test gives a yolo organization for instance. More info here https://bugzilla.mozilla.org/show_bug.cgi?id=1590217 --- src/yunohost/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index c05933dc0..ce219c4bc 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -321,7 +321,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, 'touch %s/index.txt' % ssl_dir, 'cp %s/openssl.cnf %s/openssl.ca.cnf' % (ssl_dir, ssl_dir), 'sed -i s/yunohost.org/%s/g %s/openssl.ca.cnf ' % (domain, ssl_dir), - 'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch' % (ssl_dir, ssl_dir, ssl_dir), + 'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch -subj /CN=%s/O=%s' % (ssl_dir, ssl_dir, ssl_dir, domain, os.path.splitext(domain)[0]), 'cp %s/ca/cacert.pem /etc/ssl/certs/ca-yunohost_crt.pem' % ssl_dir, 'update-ca-certificates' ]