Feature #8641
open
Need way to disable HSTS and/or replace webConfigurator certificate from CLI
0%
Description
On a 2.4.2-RELEASE firewall, which still sets the HSTS headers, I had a wildcard certificate installed, and it just expired. I forgot this firewall had that wildcard certificate installed or it would have been replaced long before expiry.
Now I'm stuck in a situation where I can't disable HSTS, and I can't replace the certificate because I can't log in because I haven't replaced the certificate because I can't log in... ad infinitum.
Catch-22.
My workaround was to use the PHP shell to set 'disablehsts' to true, i.e. $config['system']['webgui']['disablehsts']=true;write_config();exit; and then restart webconfigurator from the console menu.
I don't think it's reasonable to expect the average admin to be able to figure that out - I only managed because I knew from dev work years ago what the "php shell" even is!
In theory, documenting this in a KB article or somewhere on the wiki - er, whatever's replacing the wiki, I mean - might be adequate, but given the likelihood of this being a problem while trying to regain internet access, I think it makes more sense as another menu item on the (yes, already crowded) console menu. Time for a submenu, maybe, for less-used / advanced functions?
Updated by 
Updated by