Project

General

Profile

Actions

Feature #8641

open

Need way to disable HSTS and/or replace webConfigurator certificate from CLI

Added by Adam Thompson over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
07/12/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

On a 2.4.2-RELEASE firewall, which still sets the HSTS headers, I had a wildcard certificate installed, and it just expired. I forgot this firewall had that wildcard certificate installed or it would have been replaced long before expiry.
Now I'm stuck in a situation where I can't disable HSTS, and I can't replace the certificate because I can't log in because I haven't replaced the certificate because I can't log in... ad infinitum.
Catch-22.

My workaround was to use the PHP shell to set 'disablehsts' to true, i.e. $config['system']['webgui']['disablehsts']=true;write_config();exit; and then restart webconfigurator from the console menu.
I don't think it's reasonable to expect the average admin to be able to figure that out - I only managed because I knew from dev work years ago what the "php shell" even is!

In theory, documenting this in a KB article or somewhere on the wiki - er, whatever's replacing the wiki, I mean - might be adequate, but given the likelihood of this being a problem while trying to regain internet access, I think it makes more sense as another menu item on the (yes, already crowded) console menu. Time for a submenu, maybe, for less-used / advanced functions?

Actions

Also available in: Atom PDF