Age | Commit message (Collapse) | Author |
|
openconnect: T6500: add support for multiple ca-certificates (backport #3682)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
* install_certificate() code path handles private_key=None &
key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
where having a null private key is possible
* Self-signing and CA creation always generate a private key
* Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
private key
(cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37)
Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
|
|
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required (backport #3646)
|
|
macsec: T5447: fix error message syntax - there is no tx and rx key, only key (backport #3685)
|
|
deleted
* Added flag to vyos.config_mgmt.unsaved_commits() that will tolerate missing config.boot for specific circumstances
* Shutdown/reboot uses this flag; config will regenerate from defaults after a reboot
(cherry picked from commit 8281383a09f12da20a1c9b4864b38ac3f541b48f)
|
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
required
If the requested certificate to generate an Apple IOS profile was based on an
ACME certificate, we also need to mangle in the ACME certs content to retrieve
the certificates issuer name.
(cherry picked from commit 1bc67d498c4d71da78aa46d1d2f9fe9752f59860)
|
|
* container: T6219: Add support for container sysctl / kernel parameters
(cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd)
* T6219: align with system sysctl and limit parameters to supported
(cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b)
---------
Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk>
Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
(cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
|
|
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
|
|
(cherry picked from commit 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687)
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
(cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
(cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
|
|
reverse-proxy: T6454: Set default value of http for haproxy mode (backport #3598)
|
|
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
|
|
|
|
(cherry picked from commit 5490c76f9b9f53751fc527f455090f0a3820e8fe)
|
|
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448)
Co-authored-by: Alex W <embezzle.dev@proton.me>
|
|
style fixes
(cherry picked from commit f2d0701f50061374b5a4f55d33201629b3293248)
|
|
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
(cherry picked from commit 19d8415512dcf87dc3a87feabf128652ffc74594)
|
|
This was a leftover from the early days.
(cherry picked from commit d5271e084cca8af54f425816916a821b0eab1a5a)
|
|
(cherry picked from commit dd2516904527c74e01e0ced5166afe72a479ee00)
|
|
(cherry picked from commit fb6602f431f5595b97ea3726467ec782fa50ceb8)
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
(cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
|
|
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
|
|
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
(cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
(cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
|
|
list of ports/ranges exists
Before: Issuing the op mode command "show nat source rules" will throw an
exception if the user has configured NAT rules using a list of ports as a
comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was
no handling for the "!" rule and so '!53' would display as '53'.
With this PR: Introduced iteration to capture all configured ports and append
to the appropriate string for display to the user as well as handling of '!' if
present in user's configuration.
(cherry picked from commit b7595ee9d328778105c70e3d4399ac45f555b304)
|
|
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
|
|
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
|
|
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
|
|
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
|
|
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
|
|
This fixes (for and ACME generated certificate)
vyos@vyos:~$ show pki certificate vyos fingerprint sha512
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module>
show_certificate_fingerprint(args.certificate, args.fingerprint)
File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint
print(get_certificate_fingerprint(cert, hash))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint
fp = cert.fingerprint(hash_algorithm)
^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'fingerprint'
After the fix:
vyos@vyos# run show pki certificate vyos fingerprint sha256
10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
(cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)
|
|
address
ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;"
where the IPv6 prefix/range must be :: terminaated with a delegated prefix
length at the end.
This commit changes the validator that the IPv6 address defined on the CLI must
always end with ::. In addition a verify() step is added to check that the
stop address is greater than start address.
|
|
This reverts the prefix start/stop address must be inside network part from
commit 4cde0b8ce778d269d3fe1d4f33ba5b2caf424181.
|
|
$ touch /tmp/vyos.smoketest.debug
will enable dynamic debugging of the smoketests - showing the appropriate CLI
commands on stdout
(cherry picked from commit 0cb4294fdfe5ae0e0e8fd06436f38b67f16413a2)
|
|
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
(cherry picked from commit 7fe568ca1672f1dfbd2b56ee3ef7a6ab48b03070)
|
|
(cherry picked from commit 59781ff365a5e1b15ef6c4c2481f3d3815548b9d)
|
|
(cherry picked from commit 645c43ba60d29ca676a4323ccc5ca16c6bd8127a)
|
|
(cherry picked from commit 3870247517741ce23e2fcee8aaa1d194f0ad621b)
|
|
(cherry picked from commit 03eae30b27433055ddc10f09fc134b83e9bd6cec)
|
|
ConfigError messages
|
|
op mode: T6348: SNAT op-mode fails with flowtable offload entries (backport #3471)
|
|
(cherry picked from commit 1cba74f91a67348bc8e8ad3e2ef4325dc9f9d6e0)
|