Univention Bugzilla – Bug 46052
univention-management-console-web-server fails during setup after update to 4.3
Last modified: 2018-03-14 14:38:13 CET
http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/ADConnectorMultiEnv/Version=w2k16-german/ws/test/autotest-234-adsync-w2k16-german.log/*view*/ 4.3 AD Connector and Member Mode tests
We found that the certificate creation in system-setup failed: [master234] 2018-01-15T20:16:40.434399 Running hooks in /etc/ca-certificates/update.d... [master234] 2018-01-15T20:16:40.445909 done. [master234] Getting request Private Key [master234] Generating certificate request [master234] Using configuration from /etc/univention/ssl/openssl.cnf [master234] Can't open /etc/univention/ssl/ucsCA/index.txt.attr for reading, No such file or directory [master234] 139768205571328:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/univention/ssl/ucsCA/index.txt.attr','r') [master234] 139768205571328:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81: Thus, no valid certificates are created, the error is not caught, and the resulting apache2 config is invalid
the problem is certificate="$(mktemp)" key="$(mktemp)" ca="$(mktemp)" cp "/etc/univention/ssl/$(ucr get hostname).$(ucr get domainname)/cert.pem" "$certificate" cp "/etc/univention/ssl/$(ucr get hostname).$(ucr get domainname)/private.key" "$key" cp "/etc/univention/ssl/ucsCA/CAcert.pem" "$ca" ucr set \ apache2/ssl/certificate="$certificate" \ apache2/ssl/key="$key" \ apache2/ssl/ca="$ca" apache no longer accepts cert files under /tmp and refuses to start Jan 16 07:16:06 unassigned-hostname systemd[1]: Starting The Apache HTTP Server... Jan 16 07:16:06 unassigned-hostname apachectl[25249]: AH00526: Syntax error on line 24 of /etc/apache2/sites-enabled/default-ssl.conf: Jan 16 07:16:06 unassigned-hostname apachectl[25249]: SSLCACertificateFile: file '/tmp/tmp.4NrtFzN8xh' does not exist or is empty Jan 16 07:16:06 unassigned-hostname apachectl[25249]: Action 'start' failed. so from this point on, apache is not running during the setup until the cert files are replaced again.
/var/cache/univention-system-setup/tmp.J2juflxDz6 works, so we have to modify /usr/lib/univention-system-setup/scripts/setup-join.sh
fixed in Successful build Package: univention-system-setup Version: 11.0.2-4A~4.3.0.201801161342 Branch: ucs_4.3-0
(In reply to Felix Botner from comment #2) > the problem is > > certificate="$(mktemp)" > key="$(mktemp)" > ca="$(mktemp)" > cp "/etc/univention/ssl/$(ucr get hostname).$(ucr get > domainname)/cert.pem" "$certificate" > cp "/etc/univention/ssl/$(ucr get hostname).$(ucr get > domainname)/private.key" "$key" > cp "/etc/univention/ssl/ucsCA/CAcert.pem" "$ca" > ucr set \ > apache2/ssl/certificate="$certificate" \ > apache2/ssl/key="$key" \ > apache2/ssl/ca="$ca" > > > apache no longer accepts cert files under /tmp and refuses to start The real cause is this: # systemctl cat apache2.service # /lib/systemd/system/apache2.service ... >[Service] >PrivateTmp=true # man 5 systemd.exec >PrivateTmp= > Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is also responsible for Bug #46004
OK: use mktemp with /var/cache/univention-system-setup as basedir Reopen: no changelog entry
done
Great, thanks. I renamed apache to apache2 Verified
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".