Univention Bugzilla – Bug 40229
SAML certificate renewal
Last modified: 2019-01-03 07:23:30 CET
If a new (root CA) certificate is generated via the UMC module manual steps are required to make SAML working again: * some joinscripts need to be reexecuted. We should outsource the needed commands into some scripts so that it's not required to force-reexecute the joinscripts but just simply call the scripts. As this is currently nowhere documented customers will probably run into problems when their certificates are getting renewed. We should prevent this and try to automatically do the required steps (e.g. in the SSL system-setup script?).
As can be see in http://forum.univention.de/viewtopic.php?t=4649 running the join script is not enough as the join script only generates the certificate if it's missing from the file system. In the case of re-generating it the file is present and won't be created by the join script.
(In reply to Florian Best from comment #0) > If a new (root CA) certificate is generated via the UMC module manual steps > are required to make SAML working again: > * some joinscripts need to be reexecuted. > > We should outsource the needed commands into some scripts so that it's not > required to force-reexecute the joinscripts but just simply call the scripts. > > As this is currently nowhere documented customers will probably run into > problems when their certificates are getting renewed. We should prevent this > and try to automatically do the required steps (e.g. in the SSL system-setup > script?). IMHO,this should be done automatically via /usr/lib/univention-system-setup/scripts/40_ssl/10ssl.
(In reply to Alexander Kläser from comment #2) > IMHO,this should be done automatically via > /usr/lib/univention-system-setup/scripts/40_ssl/10ssl. It cannot be done there. It needs to be done on each host. As the hosts have the old certificates we also cannot connect to them.
(In reply to Florian Best from comment #3) > It cannot be done there. It needs to be done on each host. As the hosts have > the old certificates we also cannot connect to them. Could it be done then in a separate setup script?
(In reply to Alexander Kläser from comment #4) > Could it be done then in a separate setup script? It still needs to be done on every host and not only on the DC master.
We need to add the execution of the following scripts for every system where UMC is installed: /usr/lib/univention-uninstall/09univention-management-console-web-server.uinst /usr/lib/univention-install/92univention-management-console-web-server.inst These scripts exists since Bug #40738 (not released yet).
With the following commands I could successfully login on a DC Master via SAML after regenerating the root-CA-certificate. eval "$(ucr shell)" rm -rf "${saml_idp_certificate_certificate}" "${saml_idp_certificate_privatekey}" /etc/univention/ssl/ucs-sso* ucr unset saml/idp/certificate/privatekey saml/idp/certificate/certificate univention-run-join-scripts --force --run-scripts 91univention-saml.inst invoke-rc.d apache2 restart /usr/sbin/univention-directory-listener-ctrl resync univention-saml-simplesamlphp-configuration
The required steps to renew the saml settings should be documented, see http://sdb.univention.de/1183
Referred to in Univention Help: https://help.univention.com/t/wrong-ca-certificate-with-new-install/7018
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.