$ diff -u ~/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate ./univention-certificate --- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate 2016-09-06 09:19:15.738733229 +0200 +++ ./univention-certificate 2016-09-26 17:06:41.765918395 +0200 @@ -50,6 +50,7 @@ echo "Options:" echo " -name " echo " -days " + echo " -grace " # grace period, also in days [ -n "$1" ] && exit 2 || exit 0 } @@ -75,6 +76,7 @@ command= name= days= +grace="0" while [ $# -ge 1 ] do case "$1" in @@ -86,6 +88,7 @@ dump) command="$1" ;; -name|--name) name="${2:?Missing argument to -name}" ; shift ;; -days|--days) days="${2:?Missing argument to -days}" ; shift ;; + -grace|--grace) grace="${2:-0}" ; shift ;; -h|--help|--usage|-\?) usage ;; -*) usage "Unknown option: '$1'" >&2 ;; *) usage "Unknown command: '$1'" >&2 ;; @@ -120,7 +123,7 @@ run_only master exclusive : ${days:?Missing argument -days} echo "Renew certificate: $name" - renew_cert "$name" "$days" + renew_cert "$name" "$days" "$grace" } check () { $ diff -u ~/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh ./make-certificates.sh --- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh 2016-09-06 09:19:15.738733229 +0200 +++ ./make-certificates.sh 2016-09-26 13:36:39.418874027 +0200 @@ -43,6 +43,8 @@ : ${DEFAULT_CRL_DAYS:=10} DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" : ${DEFAULT_DAYS:=1825} +DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)" +: ${DEFAULT_GRACE:=0} DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" : ${DEFAULT_MD:=sha256} DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" @@ -133,6 +135,8 @@ policy = policy_match +unique_subject = no + [ policy_match ] countryName = match @@ -336,7 +340,9 @@ if ( X[i] ~ /^CN=/ ) { split ( X[i], Y, "=" ); if ( name == Y[2] ) { - seq = $4; + if ( $1 == "V" ) { + seq = seq$4" "; + } ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; } } @@ -348,8 +354,9 @@ renew_cert () { local fqdn="${1:?Missing argument: common name}" local days="${2:-$DEFAULT_DAYS}" + local grace="${3:-$DEFAULT_GRACE}" - revoke_cert "$fqdn" || [ $? -eq 2 ] || return $? + revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $? ( cd "$SSLBASE" @@ -361,6 +368,7 @@ revoke_cert () { local fqdn="${1:?Missing argument: common name}" + local grace="${2:-$DEFAULT_GRACE}" local cn NUM [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" @@ -371,7 +379,51 @@ return 2 fi - openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" + if [ "$grace" -eq 0 ]; then + # revoke all certificates of this fqdn + for num in $NUM; do + openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" + done + else + # remember all certificates of this fqdn for revocation after the grace period + pending_file="${SSLBASE}/pending.txt" + [ -f "$pending_file" ] || touch "$pending_file" + pending_certs="$(cat $pending_file)" + >"$pending_file" + + for num in $NUM; do + echo "$num:$grace" >>"$pending_file" + done + + for cert in $pending_certs; do + num="$(echo $cert | sed 's/:.*//')" + grace="$(echo $cert | sed 's/.*://')" + if [[ "$NUM" != *"$num"* ]]; then + echo "$num:$grace" >>"$pending_file" + fi + done + fi + + gencrl +} + +update_pending_certs () { + pending_file="${SSLBASE}/pending.txt" + [ -f "$pending_file" ] || touch "$pending_file" + pending_certs="$(cat $pending_file)" + >"$pending_file" + + for cert in $pending_certs; do + num="$(echo $cert | sed 's/:.*//')" + grace="$(echo $cert | sed 's/.*://')" + grace="$((grace-1))" + if [ "$grace" -gt "0" ]; then + echo "$num:$grace" >>"$pending_file" + else + openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" + fi + done + gencrl } /etc/cron.daily/pending-certificates.sh #!/bin/bash # ... . /usr/share/univention-ssl/make-certificates.sh update_pending_certs /usr/share/ucs-test/01_base/101_renew_certificate_with_grace_period #!/usr/share/ucs-test/runner bash ## desc: Test if univention-certificate can renew a certificate with a grace period ## roles: [domaincontroller_master] ## exposure: dangerous ## bugs: [41013] . "$TESTLIBPATH/base.sh" || exit 137 test_cert_name="test_cert_cbf8b858" test_days=1825 test_grace=2 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "0" ] || RETVAL=1 univention-certificate new -name $test_cert_name >/dev/null 2>&1 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "1" ] || RETVAL=1 univention-certificate renew -name $test_cert_name -days $test_days -grace $test_grace >/dev/null 2>&1 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "2" ] || RETVAL=1 /etc/cron.daily/pending-certificates.sh >/dev/null 2>&1 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "2" ] || RETVAL=1 /etc/cron.daily/pending-certificates.sh >/dev/null 2>&1 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "1" ] || RETVAL=1 univention-certificate revoke -name $test_cert_name >/dev/null 2>&1 [ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "0" ] || RETVAL=1 exit ${RETVAL:-0}