Project

General

Profile

Actions

Bug #13421

open

Stunnel certificate does not refresh

Added by A Schnee about 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
stunnel
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

I use stunnel with ACME certificates which expires every 90 days. When the certificate is 6í days old ACME auto refreshes the certificate. Unfortunately stunnel does not pick up this change. When opening the stunnel config page the certificate are shown but they are not refreshing even on restart of the stunnel service.

The only way i found to refresh is to connect via ssh, go to /usr/local/etc/stunnel and delete the corresponding pem files. After that on the gui open open one of the stunnel configs and save. THis will copy the new cert files from /conf/acme directory to the stunnel directory.

I have to repeat the above steps every time the cert expires. I would expect stunnel to use the certificate from it's original location (/conf/acme), thus it would update the new certificate on service restart.

Stunnel version: 5.50_11
PFSense version: 2.6.0-RELEASE (amd64)

Actions #1

Updated by S Premeau over 1 year ago

I have experienced this problem in pfSense plus 22.05 / stunnel 5.50_11.

I "solved" it via brute force, but making these changes:

*** /dev/null       Wed Dec 31 18:00:00 1969
--- /etc/phpshellsessions/reconfigstunnel    Thu Mar  2 16:06:31 2023
***************
*** 0 ****
--- 1,4 ----
+ ! echo 'Updating stunnel configuration . . .'
+ require_once("stunnel.inc");
+ stunnel_save();
+
*** /usr/local/pkg/stunnel.inc.orig     Tue Mar 29 10:22:22 2022
--- /usr/local/pkg/stunnel.inc  Thu Mar  2 16:31:24 2023
***************
*** 51,56 ****
--- 51,60 ----
                return;
        }

+       if (! file_exists("/usr/local/etc/rc.d/stunnel.sh")) {
+               stunnel_rcfile();
+       }
+
        $conf = "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n";
        $conf .= "chroot = " . STUNNEL_CHROOTDIR . " \n";
        $conf .= "setuid = stunnel \n";
***************
*** 74,80 ****
                                $certpath = STUNNEL_ETCDIR .  "/{$pkgconfig['certificate']}.pem";
                                if (file_exists($certpath)) {
                                        $oldcert_details = openssl_x509_parse(file_get_contents($certpath));
!                                       if ($cert_details['hash'] == $oldcert_details['hash']) {
                                                $replace_cert = false;
                                        }
                                }
--- 78,86 ----
                                $certpath = STUNNEL_ETCDIR .  "/{$pkgconfig['certificate']}.pem";
                                if (file_exists($certpath)) {
                                        $oldcert_details = openssl_x509_parse(file_get_contents($certpath));
!                                       if (($cert_details['hash'] == $oldcert_details['hash']) &&
!                                         ($cert_details['serialNumber'] == $oldcert_details['serialNumber']))
!                                       {
                                                $replace_cert = false;
                                        }
                                }
 {

No you can have the acme plugin reconfigure stunnel via the playback command before restarting the service.

Actions #2

Updated by A Schnee over 1 year ago

Thanks for the work. Added to my pfsense and will see at the next refresh in a few days if it is working.

Actions #3

Updated by A Schnee 10 months ago

Tested, had to add 2 lines to /usr/local/etc/stunnel at the begining so now it looks like:


#!/usr/local/bin/php -f
<?php
! echo 'Updating stunnel configuration . . .'
require_once("stunnel.inc");
stunnel_save();

and configure acme to execute the script as shell script.

Wihtout this I always recevied and error message: [25-Sep-2023 03:16:12 US/Eastern] PHP Parse error: syntax error, unexpected token "/", expecting end of file in /usr/local/pkg/acme/acme_command.sh(61) : eval()'d code on line 1

Actions

Also available in: Atom PDF