From 32b8dfda6f0007da6643dac5611a27550477d4ab Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Tue, 21 Sep 2021 10:33:41 -0400 Subject: [PATCH] Generate self-signed certificate when https is enabled Currently the self-signed certificate used as the REST API/GUI server certificate for the first time HTTPS is enabled is generate at build time and embedded in the ISO. This will make it expire less than a year from the date the system is installed. This change removed the certificate generation at build time, instead generate it at the first time HTTPS is enabled. Closes-Bug: 1944438 Depends-On: https://review.opendev.org/c/starlingx/config/+/810263 Signed-off-by: Andy Ning Change-Id: I7835534c11df3b03ea8e6f6ea7e88878386bcc12 --- security/stx-ssl/centos/build_srpm.data | 2 +- security/stx-ssl/centos/wrs-ssl.spec | 7 ------- security/stx-ssl/server-csr.conf | 8 -------- 3 files changed, 1 insertion(+), 16 deletions(-) delete mode 100644 security/stx-ssl/server-csr.conf diff --git a/security/stx-ssl/centos/build_srpm.data b/security/stx-ssl/centos/build_srpm.data index 2670bbbb..6bd16a14 100644 --- a/security/stx-ssl/centos/build_srpm.data +++ b/security/stx-ssl/centos/build_srpm.data @@ -1,2 +1,2 @@ -COPY_LIST="$PKG_BASE/files/* $PKG_BASE/LICENSE $PKG_BASE/server-csr.conf" +COPY_LIST="$PKG_BASE/files/* $PKG_BASE/LICENSE" TIS_PATCH_VER=PKG_GITREVCOUNT+8 diff --git a/security/stx-ssl/centos/wrs-ssl.spec b/security/stx-ssl/centos/wrs-ssl.spec index ac053913..10c00f8c 100644 --- a/security/stx-ssl/centos/wrs-ssl.spec +++ b/security/stx-ssl/centos/wrs-ssl.spec @@ -6,10 +6,8 @@ License: Apache-2.0 Group: base Packager: Wind River URL: unknown -BuildRequires: openssl Source0: LICENSE -Source1: server-csr.conf Source2: tpmdevice-setup %description @@ -20,13 +18,8 @@ rm -rf $RPM_BUILD_ROOT RPM_BUILD_DIR_PKG="%{name}-%{version}" mkdir -p $RPM_BUILD_DIR_PKG -CSRCONF="$RPM_BUILD_DIR_PKG/server-csr.conf" PEMFILE="$RPM_BUILD_DIR_PKG/self-signed-server-cert.pem" -cp %{SOURCE1} $CSRCONF -# generate a self signed default certificate -/usr/bin/openssl req -new -x509 -sha256 -keyout $PEMFILE -out $PEMFILE -days 365 -nodes -config $CSRCONF mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/ssl/private -install -m 400 $PEMFILE $RPM_BUILD_ROOT/%{_sysconfdir}/ssl/private/self-signed-server-cert.pem mkdir -p $RPM_BUILD_ROOT/%{_sbindir} install -m 700 %{SOURCE2} $RPM_BUILD_ROOT/%{_sbindir}/tpmdevice-setup diff --git a/security/stx-ssl/server-csr.conf b/security/stx-ssl/server-csr.conf deleted file mode 100644 index ac9fdb51..00000000 --- a/security/stx-ssl/server-csr.conf +++ /dev/null @@ -1,8 +0,0 @@ -[ req ] -default_bits = 1024 -distinguished_name = req_distinguished_name -prompt = no - -[ req_distinguished_name ] -CN = StarlingX -