Bug 46360 - certificate verification blocks exam-cleanup-script
certificate verification blocks exam-cleanup-script
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Exam mode
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v8
Assigned To: Daniel Tröder
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-21 10:29 CET by Christina Scheinig
Modified: 2018-04-06 22:09 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018021621000715
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-02-21 10:29:38 CET
A customer  reported that since july '17 only the following error message is logged in the 

"/var/log/univention/ucs-school-exam-cleanup.log" 

04.02.18 23:30:05.406  MAIN        ( ERROR   ) : Could not connect to UMC on dc417: ('Could not send request.', CertificateError("hostname 'dc417' doesn't match u'dc417.school.example.de'",))

The Cleanup-Skript is executed via cron on the master and every school slave. The error occurs on each server. In line 80 of /usr/share/ucs-school-exam/exam-and-room-cleanup („client = Client(self.hostname)“)  only the hostname is used for the connection to the UMC which causes the Problem, because the ssl certificate is issued to the fqdn.

This seems to be a regression
Comment 1 Daniel Tröder univentionstaff 2018-02-21 11:18:07 CET
Raising this bugs priority, as this effectively disables the cleanup script.
The cleanup script can be essential for daily work, as left-overs from prior exams can completely block work in computer rooms.

@Jürn: please prioritize this bugs QA over any other school related bug, as it's now in the school-priority-list.
Comment 2 Daniel Tröder univentionstaff 2018-02-21 12:24:20 CET
The usage of just the hostname has worked since the beginning of the script in Oct'2016 (see Bug #40213). It is more likely that the customer has changed its DNS settings. Probably /etc/resolv.conf is missing the "search school.example.de" line.
Anyway - using the FQDN is correct, and thus this has been fixed here.

BTW: there is more code that uses only the hostname to connect to the local UMC server.

[4.2 5cfcdd7f] Bug #46360: use FQDN to connect to UMC server
[4.2 e3143968] Bug #46360: handle non-existing directories
[4.2 87462d20] Bug #46360: changelog

[4.3 04e9aada] Bug #46360: use FQDN to connect to UMC server
[4.3 51c3a414] Bug #46360: handle non-existing directories
[4.3 8de1ba54] Bug #46360: changelog

ucs-school-umc-exam (7.0.4-18)
ucs-school-umc-exam (8.0.1-2)
Comment 3 Daniel Tröder univentionstaff 2018-02-21 12:27:01 CET
[4.2 39e5aa28] Bug #46360: advisory
Comment 4 Jürn Brodersen univentionstaff 2018-02-21 14:55:26 CET
What I tested:
"/usr/share/ucs-school-exam/exam-and-room-cleanup" on master and slave -> Everything is cleaned up -> OK

Removed DIR_ROOMS folder -> Everything is cleaned up -> OK
Removed DIR_EXAMS folder -> Everything is cleaned up -> OK

Changed advisory to make it more clear that the fqdn is also used for the connection and not just the certificate verification. (13fd8084)

This error happened in all domains that are not using the self signed certificates that have the hostname in the "Subject Alternative Name" field.

->Verified
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2018-02-22 10:58:08 CET
(In reply to Daniel Tröder from comment #2)
> The usage of just the hostname has worked since the beginning of the script
> in Oct'2016 (see Bug #40213). It is more likely that the customer has
> changed its DNS settings. Probably /etc/resolv.conf is missing the "search
> school.example.de" line.
> Anyway - using the FQDN is correct, and thus this has been fixed here.

This change of behaviour has been introduced with UCS 4.2-0 AFAIR (dunno if this change was part of univention-python or python itself; but the used hostname for connection has to match to the SSL certificate otherwise the connection is refused).
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-04-06 22:09:03 CEST
UCS@school 4.2 v8 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.2v8-de.html

If this error occurs again, please clone this bug.