You are not logged in.
- Topics: Active | Unanswered
#1 2014-04-13 21:19:27
- darkfoon
- Member
- Registered: 2007-08-29
- Posts: 42
Generating a new SSL cert for Murmurd in light of Heartbleed
Hello all,
I'm sure there are some server operators out there who want to renew their keys and certificates generated and used by OpenSSL in light of the Heartbleed exploit.
Since I just figured out how to force murmur to regenerate a new key and certificate, I thought I'd share with you in case you also want to.
(1) shutdown your running murmurd instance
(# systemctl stop murmur)
(2) Find the config database and make a backup.
(# cp -a /var/lib/murmur/murmur.sqlite /var/lib/murmur/murmur.sqlite.bak)
(3) Open the database to edit
(# sudo sqlite3 /var/lib/murmur/murmur.sqlite)
(4) Time for some SQL!
First, let's view all existing certificates and keys.
(sqlite> select * from config 
The output is something like this:
1|certificate|-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----
1|key|-----BEGIN RSA PRIVATE KEY-----
<REDACTED>
-----END RSA PRIVATE KEY-----You'll see a bunch of BASE64 encoding between the BEGIN and END statements.
I only have one server defined, hence the 1 in both database rows, which refers to the server_id. If you have more than one server instance, then I presume you'll have more rows, and they'll have different server_ids.
(5) Now, it's time to delete the key and certificate, which forces murmur to regenerate them on it's next start up. If you want to generate a custom certificate and key, there's an adequate how-to here https://wiki.archlinux.org/index.php/Mu … ertificate
If you have multiple servers defined, you'll want to be careful here: if you don't want to regenerate the SSL certificate and keys for all server instances, make sure to only delete the specific server_ids you want to update.
(sqlite> delete from config where server_id=1;)
Update the server_id=1 to be whatever server_id you want to change. I only have one server, so I just deleted that.
(6) Quit out of the sqlite3 program
(sqlite> .quit)
(7) Restart your murmur server
(# systemctl start murmur)
If you do a
# systemctl status murmur
you'll see in the logs that it regenerates the SSL certificate on startup.
I hope this was helpful.
And, if this is the wrong forum for this, please let me know and I can remove it. Or if you're a kindly mod, perhaps you could move it for me? 
Offline
#2 2014-04-13 21:30:37
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: Generating a new SSL cert for Murmurd in light of Heartbleed
This should be in the Wiki so it can be easily found and used.
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline