Univention Bugzilla – Bug 46195
Include UCS Docker based Apps in "Renewing the SSL certificates"
Last modified: 2020-07-02 17:19:53 CEST
Most of our Docker Apps like Horde, Etherpad, Dudle etc. are based on UCS and are joined as UCS Memberserver to the domain. As a Memberserver, they do have a host certificate and their listener checks the UCS CA certificate for its validity. If one of those expires, the services that depend on encrypted traffic (LDAP-authentication, Listener/Notifier-Replication ...) stop working. The article "Renewing the SSL certificates" does not provide a way on how to copy a renewed certificate into the docker container. There are two steps required: 1. Copy the certificate files (host certificate, private key of the host certificate and the UCS Root CA certificate) from the UCS Master to the UCS server that runs the Docker App 2. Copy the certificate files into the Docker container Something like this should work for UCS 4.2 / docker 1.12+: > docker cp /etc/univention/ssl/horde-12345678.example.org/cert.pem $container_name:/etc/univention/ssl/horde-12345678.example.org/cert.pem This won't work for UCS 4.1 / docker 1.6, because "docker cp" in this version can only copy from inside the container onto the host, not the other way round. In this case, something like this might work: > cp -r /etc/univention/ssl/ucsCA /var/lib/docker/overlay/$CONTAINER_ID/merged/etc/univention/ssl/
Changes and improvements for SDB entries aren't tracked in Bugzilla anymore, so I close these entries. Please comment on help.univention.com or get in touch with the Univention Support team in case you have any suggestions for the SDB.