Univention Bugzilla – Bug 46379
univention-domain-join should install the UCS domain root CA in the system
Last modified: 2018-05-02 15:41:47 CEST
Currently, the tool downloads the UCS root CA to /etc/univention/ssl/ucsCA/CAcert.pem and adjusts this path in varios config files. It would be great if the certificate would be added to the local cert store so that webbrowsers and other tools can use it to verify connections to domain services.
I have updated the tool to also link the downloaded root CA to /usr/local/share/ca-certificates/UCSdomain.crt and execute update-ca-certificates afterwards. Unfortunately neither Firefox, nor Chromium use the system-wide certificates by default. If it is strongly desired to add the UCS root CA to the browser's certificate-databases feel free to REOPEN this bug or create a new one. @QA: This command will work, when the UCS root CA is set up correctly: "wget https://$MASTER_FQDN/univention/login" These adapted code for this bug can be found under these git tags: 1.0-8ubuntu1 -> Ubuntu 17.10 1.0-8ubuntu2 -> Ubuntu 16.04 1.0-8ubuntu3 -> Ubuntu 14.04 b77c0af2cb5f | Bug #46379: Add changelog entry a32b18c74ec1 | Bug #46379: Merge branch 'ubuntu16.04' into ubuntu14.04 7d71c50279f3 | Bug #46379: Add changelog entry 14738f445220 | Bug #46379: Merge branch 'master_ubuntu17.10' into ubuntu16.04 3679b4172e4f | Bug #46379: Add changelog entry bd8202f94014 | Bug #46379: Add UCS-domains certificate to certificate store
Created attachment 9478 [details] All debian packages needed for the QA
Verified: Certificate is added to local ca-certificate store. Most browsers ignore the local store without explicit configuration by the user, as a security mechanism
Published as version 1.0-11: https://launchpad.net/~univention-dev/+archive/ubuntu/ppa