Bug 42303 – UVMMd fails to connect to LDAP: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired

Bug 42303 - UVMMd fails to connect to LDAP: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired


Summary:	UVMMd fails to connect to LDAP: error:14090086:SSL routines:SSL3_GET_SERVER_C...

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-09-07 12:32 CEST by Philipp Hahn
Modified:	2022-06-30 14:32 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2016-09-07 12:32:23 CEST

The long-running UVMMd fails to connect to LDAP, but running "python -c 'import univention.admin.uldap;univention.admin.uldap.getMachineConnection(ldap_master=False)'" on the other hand works.
The certificates are okay, not expired and not recently updated.
Also works: ldapsearch -LLLx -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret -ZZ -H "ldap://$(ucr get ldap/master):$(ucr get ldap/master/port)" -b "$(ucr get ldap/hostdn)"

Restarting UVMMd solved the problem for now.

2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run
    self.update_autoreconnect()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect
    self.update()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update
    domStat = Domain(dom, node=self)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__
    self.update_ldap()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap
    self.pd.annotations = ldap_annotation(self.pd.uuid)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation
    lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False)
  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection
    lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection
    lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open
    self.lo.start_tls_s()
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s
    res = SimpleLDAPObject.start_tls_s(self)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'}
2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run
    self.update_autoreconnect()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect
    self.update()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update
    domStat = Domain(dom, node=self)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__
    self.update_ldap()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap
    self.pd.annotations = ldap_annotation(self.pd.uuid)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation
    lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False)
  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection
    lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection
    lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open
    self.lo.start_tls_s()
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s
    res = SimpleLDAPObject.start_tls_s(self)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'}
2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run
    self.update_autoreconnect()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect
    self.update()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update
    domStat = Domain(dom, node=self)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__
    self.update_ldap()
  File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap
    self.pd.annotations = ldap_annotation(self.pd.uuid)
  File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation
    lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False)
  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection
    lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection
    lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open
    self.lo.start_tls_s()
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s
    res = SimpleLDAPObject.start_tls_s(self)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'}

Comment 1 Ingo Steuwer

2020-07-03 20:55:09 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.