Skip to content

Auto-regenerate expired self-signed certificates#1590

Open
lzwind wants to merge 1 commit into
OpenPrinting:masterfrom
lzwind:fix/auto-renew-expired-self-signed-cert
Open

Auto-regenerate expired self-signed certificates#1590
lzwind wants to merge 1 commit into
OpenPrinting:masterfrom
lzwind:fix/auto-renew-expired-self-signed-cert

Conversation

@lzwind

@lzwind lzwind commented Jun 2, 2026

Copy link
Copy Markdown

Summary

  • _httpTLSStart checked whether certificate files exist on disk via access() but never verified whether they have expired. When an auto-generated self-signed certificate expired, CUPS continued using it instead of creating a new one, breaking HTTPS access.
  • Added a cupsGetCredentialsExpiration() check so that expired certificates are treated as missing, triggering the existing auto-create code path.
  • Applied to both tls-openssl.c and tls-gnutls.c backends.

Fixes: #1519

Test plan

  • Create a self-signed cert, manually set its expiration to the past, and verify CUPS regenerates it on next startup
  • Verify that valid (non-expired) certificates are still used normally
  • Test with both OpenSSL and GnuTLS backends

_httpTLSStart checked whether certificate files exist on disk via
access() but never verified whether they have expired. When an
auto-generated self-signed certificate expired, CUPS continued using
it instead of creating a new one.

Add a cupsGetCredentialsExpiration() check so that expired certs are
treated as missing, triggering the existing auto-create code path.

Fixes: OpenPrinting#1519
@abubakarsabir924-cell

Copy link
Copy Markdown
Contributor

Hi @lzwind,
Just checking in — are you still working on this PR? I noticed it's been open for about a month without updates.
If you're busy or have moved on, I'd be happy to help finish it up (completing the test plan, or refining the approach if needed). Let me know either way — happy to collaborate or step back, whatever works.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auto-generated self-signed certificate does not regenerate after expiration

2 participants