Bug #13421
open
Stunnel certificate does not refresh
Added by A Schnee over 2 years ago.
Updated 11 months ago.
Affected Architecture:
All
Description
I use stunnel with ACME certificates which expires every 90 days. When the certificate is 6í days old ACME auto refreshes the certificate. Unfortunately stunnel does not pick up this change. When opening the stunnel config page the certificate are shown but they are not refreshing even on restart of the stunnel service.
The only way i found to refresh is to connect via ssh, go to /usr/local/etc/stunnel and delete the corresponding pem files. After that on the gui open open one of the stunnel configs and save. THis will copy the new cert files from /conf/acme directory to the stunnel directory.
I have to repeat the above steps every time the cert expires. I would expect stunnel to use the certificate from it's original location (/conf/acme), thus it would update the new certificate on service restart.
Stunnel version: 5.50_11
PFSense version: 2.6.0-RELEASE (amd64)
I have experienced this problem in pfSense plus 22.05 / stunnel 5.50_11.
I "solved" it via brute force, but making these changes:
*** /dev/null Wed Dec 31 18:00:00 1969
--- /etc/phpshellsessions/reconfigstunnel Thu Mar 2 16:06:31 2023
***************
*** 0 ****
--- 1,4 ----
+ ! echo 'Updating stunnel configuration . . .'
+ require_once("stunnel.inc");
+ stunnel_save();
+
*** /usr/local/pkg/stunnel.inc.orig Tue Mar 29 10:22:22 2022
--- /usr/local/pkg/stunnel.inc Thu Mar 2 16:31:24 2023
***************
*** 51,56 ****
--- 51,60 ----
return;
}
+ if (! file_exists("/usr/local/etc/rc.d/stunnel.sh")) {
+ stunnel_rcfile();
+ }
+
$conf = "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n";
$conf .= "chroot = " . STUNNEL_CHROOTDIR . " \n";
$conf .= "setuid = stunnel \n";
***************
*** 74,80 ****
$certpath = STUNNEL_ETCDIR . "/{$pkgconfig['certificate']}.pem";
if (file_exists($certpath)) {
$oldcert_details = openssl_x509_parse(file_get_contents($certpath));
! if ($cert_details['hash'] == $oldcert_details['hash']) {
$replace_cert = false;
}
}
--- 78,86 ----
$certpath = STUNNEL_ETCDIR . "/{$pkgconfig['certificate']}.pem";
if (file_exists($certpath)) {
$oldcert_details = openssl_x509_parse(file_get_contents($certpath));
! if (($cert_details['hash'] == $oldcert_details['hash']) &&
! ($cert_details['serialNumber'] == $oldcert_details['serialNumber']))
! {
$replace_cert = false;
}
}
{
No you can have the acme plugin reconfigure stunnel via the playback command before restarting the service.
Thanks for the work. Added to my pfsense and will see at the next refresh in a few days if it is working.
Tested, had to add 2 lines to /usr/local/etc/stunnel at the begining so now it looks like:
#!/usr/local/bin/php -f
<?php
! echo 'Updating stunnel configuration . . .'
require_once("stunnel.inc");
stunnel_save();
and configure acme to execute the script as shell script.
Wihtout this I always recevied and error message: [25-Sep-2023 03:16:12 US/Eastern] PHP Parse error: syntax error, unexpected token "/", expecting end of file in /usr/local/pkg/acme/acme_command.sh(61) : eval()'d code on line 1
Also available in: Atom
PDF
Updated by 
Updated by