Project

General

Profile

Actions
Copy link

Bug #13421

open

Stunnel certificate does not refresh

Added by A Schnee over 1 year ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
stunnel
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

I use stunnel with ACME certificates which expires every 90 days. When the certificate is 6í days old ACME auto refreshes the certificate. Unfortunately stunnel does not pick up this change. When opening the stunnel config page the certificate are shown but they are not refreshing even on restart of the stunnel service.

The only way i found to refresh is to connect via ssh, go to /usr/local/etc/stunnel and delete the corresponding pem files. After that on the gui open open one of the stunnel configs and save. THis will copy the new cert files from /conf/acme directory to the stunnel directory.

I have to repeat the above steps every time the cert expires. I would expect stunnel to use the certificate from it's original location (/conf/acme), thus it would update the new certificate on service restart.

Stunnel version: 5.50_11
PFSense version: 2.6.0-RELEASE (amd64)

Actions
Copy link
 #1

Updated by S Premeau 9 months ago

I have experienced this problem in pfSense plus 22.05 / stunnel 5.50_11.

I "solved" it via brute force, but making these changes:

*** /dev/null       Wed Dec 31 18:00:00 1969
--- /etc/phpshellsessions/reconfigstunnel    Thu Mar  2 16:06:31 2023
***************
*** 0 ****
--- 1,4 ----
+ ! echo 'Updating stunnel configuration . . .'
+ require_once("stunnel.inc");
+ stunnel_save();
+
*** /usr/local/pkg/stunnel.inc.orig     Tue Mar 29 10:22:22 2022
--- /usr/local/pkg/stunnel.inc  Thu Mar  2 16:31:24 2023
***************
*** 51,56 ****
--- 51,60 ----
                return;
        }

+       if (! file_exists("/usr/local/etc/rc.d/stunnel.sh")) {
+               stunnel_rcfile();
+       }
+
        $conf = "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n";
        $conf .= "chroot = " . STUNNEL_CHROOTDIR . " \n";
        $conf .= "setuid = stunnel \n";
***************
*** 74,80 ****
                                $certpath = STUNNEL_ETCDIR .  "/{$pkgconfig['certificate']}.pem";
                                if (file_exists($certpath)) {
                                        $oldcert_details = openssl_x509_parse(file_get_contents($certpath));
!                                       if ($cert_details['hash'] == $oldcert_details['hash']) {
                                                $replace_cert = false;
                                        }
                                }
--- 78,86 ----
                                $certpath = STUNNEL_ETCDIR .  "/{$pkgconfig['certificate']}.pem";
                                if (file_exists($certpath)) {
                                        $oldcert_details = openssl_x509_parse(file_get_contents($certpath));
!                                       if (($cert_details['hash'] == $oldcert_details['hash']) &&
!                                         ($cert_details['serialNumber'] == $oldcert_details['serialNumber']))
!                                       {
                                                $replace_cert = false;
                                        }
                                }
 {

No you can have the acme plugin reconfigure stunnel via the playback command before restarting the service.

Actions
Copy link
 #2

Updated by A Schnee 9 months ago

Thanks for the work. Added to my pfsense and will see at the next refresh in a few days if it is working.

Actions
Copy link

Also available in: Atom PDF