Bug 49844 – apache2/hsts setting is not used in univention-letsencrypt.conf

Bug 49844 - apache2/hsts setting is not used in univention-letsencrypt.conf


Summary:	apache2/hsts setting is not used in univention-letsencrypt.conf

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Let's Encrypt
Version:	UCS 4.4
Hardware:	amd64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-07-13 15:42 CEST by Daniel Krüger
Modified:	2020-03-17 07:38 CET (History)
CC List:	4 users (show)

See Also:	48745
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020022421000562
Bug group (optional):	Security
Max CVSS v3 score:	0.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Flags:	best: Patch_Available+

Attachments
patch (git:fbest/49844-hsts) (1.88 KB, patch) 2019-07-16 09:53 CEST, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Krüger 2019-07-13 15:42:28 CEST

/etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf creates separate virtual hosts for each domain in letsencrypt/domains. However it doesn't create Apache configuration for HSTS as /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts does it for the default SSL virtual host. So HSTS is in fact not activated anymore.

Proposed fix: /etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf should include the code from /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts.

Comment 1 Florian Best

2019-07-16 09:53:47 CEST

Created attachment 10122 [details]
patch (git:fbest/49844-hsts)

Comment 2 Florian Best

2019-07-16 09:55:03 CEST

Thank you for the feedback, Daniel!
Attached is a patch which does your suggestion.

Comment 3 Daniel Krüger 2019-08-29 18:39:39 CEST

Thanks for the patch. However, I cannot test it. Is there a testing channel for a pre-compiled Let's Encrypt App with this patch?

Comment 4 Daniel Krüger 2019-09-18 23:44:58 CEST

Today, I had the requirement to have a special VirtualHost configuration for a sub-domain (Separate reverse proxy without the stuff from ucs-sites.d and the appcenter dockers). univention-letsencrypt.conf is a show-stopper for that. It adds VirtualHost sections for each domain which is in letsencrypt/domains. So I had no easy possibility to overwrite that configuration.

Finally, I deleted the VirtualHost sections in univention-letsencrypt.conf. So the default SSL virtual host (with HSTS) is used.

What's the benefit of having separate VirtualHost sections for each letsencrypt/domains? As far as I see and understand they intend to configure _everything_ the same as the default SSL virtual host.

Comment 5 Florian Best

2019-09-19 07:31:13 CEST

Maybe Bug #48745 comment 1 is the reason.

Comment 6 Daniel Krüger 2019-09-28 18:27:08 CEST

Ok, I understand it (at least a little bit).

I would like to propose to change the logic for virtual host creation. Maybe to create the virtual hosts for Let's encrypt conditionally. If UCS host fqdn is included in Let's encrypt domain list and UCR variable apache2/ssl/certificate don't point to Let's encrypt certificate for example.

At least I like the architecture of UCS, that those template files are part of /etc, so I have the freedom to overwrite them.

Comment 7 Christian Völker

2020-03-17 07:38:49 CET

Another customer stumbled about this...