View Issue Details

IDProjectCategoryView StatusLast Update
0005072unrealircdpublic2018-03-25 13:24
ReporterLe_Coyote Assigned Tosyzop  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinux 
Product Version4.0.14 
Target Version4.0.18 
Summary0005072: Cannot reload certificates using rehash -ssl or reloadtls
DescriptionWhile that feature seemed to work before, Unreal now seems incapable of reloading just the TLS certificates, whether it's told to by an operator using rehash -ssl, or from a the command line with the reloadtls parameter.
A full rehash was needed in order to renew the certificate.
TagsNo tags attached.
3rd party modules

Activities

syzop

2018-03-07 10:46

administrator   ~0020041

Last edited: 2018-03-07 10:46

View 2 revisions

Do you have any certificate relate options in your configuration file(s)?
Such as set::ssl::certificate, listen::ssl-options::certificate or any other xx:ssl-options::certificate?
If so, could you copy-paste those settings?

Were you locally connected as IRC Operator, so were you able to see any warnings/errors, did it just report success?

Thanks!

Le_Coyote

2018-03-07 17:12

reporter   ~0020043

The only ssl settings are listen::options "ssl", and listen::ssl-options "certificate" and "key". The latter two match the path to the certificate and key files, respectively.

There are no errors in the log or in the SNotices, just the expected information:
*** [SSL rehash] Reloading all SSL related data (./unrealircd reloadtls)

But when connecting, the certificate is still the old one. A rehash as a local/remote oper is the only way to load the new certificate.

I've left the server in this "halfway" state, ie. the new certificate is present in the right path, but not loaded, in case there is anything more you would like me to do in terms of diagnostics.

syzop

2018-03-07 17:47

administrator   ~0020044

I see.
When you say "A rehash as a local/remote oper is the only way to load the new certificate." do you mean a regular '/REHASH' (not '/REHASH -ssl') does resolve the situation?

Le_Coyote

2018-03-07 17:48

reporter   ~0020045

Yes, a regular rehash is necessary. '/REHASH -ssl' does not resolve the problem.

syzop

2018-03-08 09:30

administrator   ~0020046

Ok, thanks. Yes that gives me enough to duplicate the problem and look into a fix. Will do so later. Thanks for your help :)

syzop

2018-03-25 13:24

administrator   ~0020068

https://github.com/unrealircd/unrealircd/commit/9f18118f769d961c2dd6104f5f366bddeec70d77

commit 9f18118f769d961c2dd6104f5f366bddeec70d77
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sun Mar 25 13:22:19 2018 +0200

    Fix './unrealircd reloadtls' not reloading certificates/keys if
    listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options
    are used. In short: it only reloaded the ones from set::ssl until
    now. Bug reported by Mr_Smoke (0005072)

I'll clarify in the release notes this also applied to '/rehash -ssl' of course.

Thanks for the report!

Issue History

Date Modified Username Field Change
2018-02-24 17:30 Le_Coyote New Issue
2018-03-07 10:46 syzop Note Added: 0020041
2018-03-07 10:46 syzop Assigned To => syzop
2018-03-07 10:46 syzop Status new => feedback
2018-03-07 10:46 syzop Note Edited: 0020041 View Revisions
2018-03-07 10:47 syzop Severity minor => major
2018-03-07 17:12 Le_Coyote Note Added: 0020043
2018-03-07 17:47 syzop Note Added: 0020044
2018-03-07 17:48 Le_Coyote Note Added: 0020045
2018-03-08 09:30 syzop Note Added: 0020046
2018-03-08 09:30 syzop Status feedback => acknowledged
2018-03-25 13:24 syzop Status acknowledged => resolved
2018-03-25 13:24 syzop Resolution open => fixed
2018-03-25 13:24 syzop Note Added: 0020068
2018-03-25 13:24 syzop Target Version => 4.0.18