Univention Bugzilla – Bug 53751
univention-spamassassin fails to install - sa-update not run - breaks USS
Last modified: 2023-03-18 15:56:23 CET
+++ This bug was initially created as a clone of Bug #36607 +++ <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-8/job/AutotestUpgrade/SambaVersion=s4,Systemrolle=master-part-II/145/> faild to setup "univention-spamassassin" during USS: > Setting up univention-spamassassin (9.0.0-6A~4.3.0.201803091404) ... … > Updating spamassassin rules... > Cannot open file /var/lib/spamassassin/3.004002/updates_spamassassin_org/1892846.tar.gz: No such file or directory at /usr/bin/sa-update line 1600. "/etc/cron.daily/spamassassin" was only run much later at 06:42, which then pulled the initial rule set fine. Afterward "systemctl restart spamassasssin" worked fine. dig 2.4.3.updates.spamassassin.org txt > 2.4.3.updates.spamassassin.org. 1516 IN CNAME 3.3.3.updates.spamassassin.org. > 3.3.3.updates.spamassassin.org. 14 IN TXT "1892922" curl -I http://sa-update.spamassassin.org/1892846.tar.gz > HTTP/1.1 200 OK sa-update -vv -D channel,gpg,http … I have not seen any use of the IPv4-LL 169.254.0.0/16 address in any log file.
The last version of `sa-update` in UCS 4.4-x is `3.4.2-1~deb9u4` and has a known issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922499 https://errata.software-univention.de/#/?version=4.4-x&package=spamassassin https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/spamassassin/?since=4.4-0 Instead of shipping an old version of the rules (1892922) via `utils.sh`, which need to be updated on a regular basis (1907102), fix the underlying problem, which is TLS related: the TLS certificate for `*.apache.org` is from Lets encrypt, which switch their root-CA in 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ # sa-update -vv DNS TXT query: 2.4.3.updates.spamassassin.org -> 1907182 Update available for channel updates.spamassassin.org: -1 -> 1907182 DNS TXT query: mirrors.updates.spamassassin.org -> https://spamassassin.apache.org/updates/MIRRORED.BY, http://sa-update.spamassassin.org/MIRRORED.BY fetching https://spamassassin.apache.org/updates/MIRRORED.BY http: (curl) GET https://spamassassin.apache.org/updates/MIRRORED.BY, FAILED, status: exit 60 # curl -I https://spamassassin.apache.org/updates/MIRRORED.BY curl: (60) SSL certificate problem: certificate has expired spamassassin.apache.org is backed by fastly and SNI must be used to get the right certificate: # openssl s_client -showcerts -servername spamassassin.apache.org -connect spamassassin.apache.org:443 </dev/null > /tmp/cert # csplit /tmp/cert '/-----END CERTIFICATE-----/+1' '{*}' # openssl x509 -noout -subject -issuer -startdate -enddate -in xx00 subject=CN = *.apache.org issuer=C = US, O = Let's Encrypt, CN = R3 notBefore=Dec 14 18:46:30 2022 GMT notAfter=Mar 14 18:46:29 2023 GMT # openssl x509 -noout -subject -issuer -startdate -enddate -in xx01 subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 notBefore=Sep 4 00:00:00 2020 GMT notAfter=Sep 15 16:00:00 2025 GMT # openssl x509 -noout -subject -issuer -startdate -enddate -in xx02 subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 notBefore=Jan 20 19:14:03 2021 GMT notAfter=Sep 30 18:14:03 2024 GMT # openssl x509 -noout -subject -issuer -startdate -enddate -in /etc/ssl/certs/2e5ac55d.0 subject=O = Digital Signature Trust Co., CN = DST Root CA X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 notBefore=Sep 30 21:12:19 2000 GMT notAfter=Sep 30 14:01:15 2021 GMT The VM is using the old *expired* chain rooted at the now expired 'DST X3' root CA. Actually `cURL` should already end the validation at `ISRG Root X1`, which already is a trusted root CA, but the version in UCS-4.3 is too old: # openssl x509 -noout -subject -issuer -startdate -enddate -in /etc/ssl/certs/ISRG_Root_X1.pem subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 notBefore=Jun 4 11:04:38 2015 GMT notAfter=Jun 4 11:04:38 2035 GMT [phahn/53751-spamassassin] 3c6e50adf5 test(spamassassin): better sa-update handling test/product-tests/component/dcd_all_roles.cfg | 14 -------------- test/product-tests/component/dcd_redis_primary_change.cfg | 5 ----- test/scenarios/app-testing/autotest-104-app-slave-no-samba.cfg | 5 ----- test/scenarios/app-testing/autotest-105-app-slave-s4.cfg | 5 ----- test/scenarios/app-testing/autotest-114-release-appupdate-slave-no-samba.cfg | 5 ----- test/scenarios/app-testing/autotest-115-release-appupdate-slave-s4.cfg | 5 ----- test/scenarios/app-testing/autotest-124-appupdate-slave-no-samba.cfg | 5 ----- test/scenarios/app-testing/autotest-125-appupdate-slave-s4.cfg | 5 ----- test/scenarios/autotest-070-update-master-no-samba.cfg | 5 ----- test/scenarios/autotest-070-update-master-part-II-no-samba.cfg | 5 ----- ... 23 files changed, 15 insertions(+), 133 deletions(-) [phahn/53751-spamassassin] a456ca1a8c style(utils): shellcheck test/utils/utils.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
*** Bug 54194 has been marked as a duplicate of this bug. ***
The test was still failing because of multiple issues: 1. Root CA "DST X3" for https://spamassassin.apache.org/ expired 2. PGP key of `sa-update` expired. 3. Wrong file system permissions 4. Bug in "spamassassin.postinst configure" restarting `spamassassin.serice` during update from 4.4-9 to 5.0-0 despite `deb-systemd-helper was-enabled spamassassin.service` [5.0-3] c862e676da fix(test/update-from-2.4): SA update v3 test/utils/utils.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) [5.0-3] 3550362c8a fix(test/update-from-2.4): SA update v2 test/utils/utils.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) [5.0-3] 07151fe536 fix(test/update-from-2.4): SA update test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg | 3 ++- test/scenarios/update-testing/update-from-4.2-4.cfg | 2 +- test/utils/utils.sh | 5 ----- 3 files changed, 3 insertions(+), 7 deletions(-) [5.0-3] 0a8476115f refactor(test/scenarios/update): code cleanup test/scenarios/appliance-testing/app-appliance-errata-test.cfg | 3 +- test/scenarios/update-testing/update-from-1.2-backup2master.cfg | 1 - test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg | 54 ++++++++++++----------------- test/scenarios/update-testing/update-from-4.2-4.cfg | 1 - test/utils/utils.sh | 8 ++--- 5 files changed, 28 insertions(+), 39 deletions(-)