core183: replace https rsa key if it is too small

new openssl need at least 2048 bit rsa keys for apache. So if the existing is smaller a new 4096 bit key is generated. fixes #13527 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2024-01-18 18:02:10 +01:00
parent bca096b453
commit 36c16c71ed
3 changed files with 29 additions and 0 deletions
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -229,6 +229,19 @@ restore_backup() {
 	# Set correct ownership
 	chown nobody:nobody /var/ipfire/ovpn/ovpnconfig

+	# Generate new HTTPS RSA key if the existing is too small
+	KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+	if [ $KEYSIZE \< 2048 ]; then
+		openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+		chmod 600 /etc/httpd/server.key
+		sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+				openssl req -new -key /etc/httpd/server.key \
+				-out /etc/httpd/server.csr &>/dev/null
+		openssl x509 -req -days 999999 -sha256 \
+			-in /etc/httpd/server.csr \
+			-signkey /etc/httpd/server.key \
+			-out /etc/httpd/server.crt &>/dev/null
+	fi
 	return 0
 }

--- a/config/rootfiles/core/183/filelists/files
+++ b/config/rootfiles/core/183/filelists/files
@@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
 usr/local/bin/backupiso
+var/ipfire/backup/bin/backup.pl
--- a/config/rootfiles/core/183/update.sh
+++ b/config/rootfiles/core/183/update.sh
@@ -128,6 +128,21 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
 	/etc/rc.d/init.d/ipsec start
 fi

+# Check apache rsa key and replace if it is too small
+KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+if [ $KEYSIZE \< 2048 ]; then
+	echo "Generating new HTTPS RSA server key (this will take a moment)..."
+	openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+	chmod 600 /etc/httpd/server.key
+	sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+		openssl req -new -key /etc/httpd/server.key \
+			-out /etc/httpd/server.csr &>/dev/null
+	openssl x509 -req -days 999999 -sha256 \
+		-in /etc/httpd/server.csr \
+		-signkey /etc/httpd/server.key \
+		-out /etc/httpd/server.crt &>/dev/null
+fi
+
 # Rebuild initial ramdisks
 dracut --regenerate-all --force
 KVER="xxxKVERxxx"