summaryrefslogtreecommitdiff
path: root/src/conf_mode/service_https.py
AgeCommit message (Collapse)Author
2026-06-27https: T9022: serve the full CA certificate chainLee Clements
When a certificate is assigned to the HTTPS service, nginx was only sent the leaf certificate. An intermediate CA was included only when an operator manually configured "ca-certificate", and even then just that single CA - the rest of the issuer chain was never followed. As a result, clients that do not already trust the issuing intermediate CA (for example Let's Encrypt's newer E- and R-series intermediates) could not build a path to a trusted root and rejected the connection. Build the complete chain from the CA certificates present in the PKI using find_chain(), the same helper already used by HAProxy, OpenConnect, stunnel and the other PKI consumers. The intermediate chain is now discovered automatically, so configuring "ca-certificate" is no longer required; it remains accepted for backwards compatibility.
2026-05-27T8454: fix VRF-bind port availability check in service_httpsLee Clements
When service https is configured with a listen-address on a VRF interface, adding or changing the vrf option causes the commit to fail with "TCP port 443 is used by another service!" even though no conflict exists. Root cause: check_port_availability() performs a socket.bind() in the default network namespace. When the listen-address belongs to a VRF interface the address is unreachable from the default namespace, so the bind fails with OSError which is misinterpreted as "port in use". The secondary check via is_listen_port_bind_service() also fails because psutil cannot see sockets bound inside a VRF. Fix: add an optional vrf parameter to check_port_availability(). When set, the test socket is bound to the VRF master device via SO_BINDTODEVICE before the bind() call, so that the address is resolved in the correct L3 domain. This is done in-process (no subprocess) and works for both IPv4 and IPv6. service_https verify() now passes the configured VRF (if any) to check_port_availability(). Non-VRF configurations are unaffected. Add smoke test for HTTPS with listen-address inside a VRF. Co-authored-by: Christian Breunig <christian@breunig.cc>
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2025-06-28T7591: remove copyright years from source filesChristian Breunig
The legal team says years are not necessary so we can go ahead with it, since it will simplify backporting. Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \ 's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g' In addition we will error-out during "make" if someone re-adds a legacy copyright notice
2025-04-29https: T7393: set listen-address bind fails silently without restartJohn Estabrook
The apply stage calls systemctl reload-or-restart on the https server, however, some settings require a restart or will silently fail, since nginx drops privileges after start up. Add flag when restart may be needed and check in apply stage.
2024-04-02configverify: T6198: add common helper for PKI certificate validationChristian Breunig
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in