- This is related to the fix patch set for bug13737. That patch set works with no problems if the root/host x509 set is created for the first time with that patch set merged. However if the x509 is already created previously then the contents of serial will still be 01 instead of 02. - This patch checks if the hostcert.pm file exists and that the index.txt file is empty, and then increments the serial content from 01 to 02. This means that when the x509 is regenerated the system will not complain that 01 cannot be used as it has already been revoked but will use 02 for the new host and everything works fine after that.
Fixes: bug13737 Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> --- config/rootfiles/core/194/update.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/rootfiles/core/194/update.sh b/config/rootfiles/core/194/update.sh index e1e9dde9b..2ab4ca2a2 100644 --- a/config/rootfiles/core/194/update.sh +++ b/config/rootfiles/core/194/update.sh @@ -103,6 +103,11 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Increment ipsec serial file if x509 certificates present and no content in index.txt +if [ -e /var/ipfire/certs/hostcert.pm ] && [ -z /var/ipfire/certs/index.txt]; then + sed -i "s/01/02/" /var/ipfire/certs/serial +fi + # Start services /etc/init.d/ipsec restart /etc/init.d/suricata restart -- 2.49.0
