Univention Bugzilla – Bug 42303
UVMMd fails to connect to LDAP: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired
Last modified: 2022-06-30 14:32:26 CEST
The long-running UVMMd fails to connect to LDAP, but running "python -c 'import univention.admin.uldap;univention.admin.uldap.getMachineConnection(ldap_master=False)'" on the other hand works. The certificates are okay, not expired and not recently updated. Also works: ldapsearch -LLLx -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret -ZZ -H "ldap://$(ucr get ldap/master):$(ucr get ldap/master/port)" -b "$(ucr get ldap/hostdn)" Restarting UVMMd solved the problem for now. 2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run self.update_autoreconnect() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect self.update() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update domStat = Domain(dom, node=self) File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__ self.update_ldap() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap self.pd.annotations = ldap_annotation(self.pd.uuid) File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open self.lo.start_tls_s() File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s res = SimpleLDAPObject.start_tls_s(self) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'} 2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run self.update_autoreconnect() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect self.update() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update domStat = Domain(dom, node=self) File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__ self.update_ldap() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap self.pd.annotations = ldap_annotation(self.pd.uuid) File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open self.lo.start_tls_s() File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s res = SimpleLDAPObject.start_tls_s(self) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'} 2016-09-07 12:24:19,875 - uvmmd.node - ERROR - ('qemu://madde.pingst.univention.de/system',): Exception in timer_callbck Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 578, in run self.update_autoreconnect() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 597, in update_autoreconnect self.update() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 751, in update domStat = Domain(dom, node=self) File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 233, in __init__ self.update_ldap() File "/usr/lib/pymodules/python2.6/univention/uvmm/node.py", line 345, in update_ldap self.pd.annotations = ldap_annotation(self.pd.uuid) File "/usr/lib/pymodules/python2.6/univention/uvmm/uvmm_ldap.py", line 164, in ldap_annotation lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 184, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 231, in __open self.lo.start_tls_s() File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 784, in start_tls_s res = SimpleLDAPObject.start_tls_s(self) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 526, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate has expired)', 'desc': 'Connect error'}
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.