Bug 55982 – Portal on a different FQDN: traceback in 92univention-management-console-web-server.inst if certificates are not in /etc/univention/ssl/%s/cert.pem"

Bug 55982 - Portal on a different FQDN: traceback in 92univention-management-console-web-server.inst if certificates are not in /etc/univention/ssl/%s/cert.pem"


Summary:	Portal on a different FQDN: traceback in 92univention-management-console-web-...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-04-18 12:04 CEST by Felix Botner
Modified:	2023-04-18 12:04 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2023-04-18 12:04:22 CEST

Scenario:

Portal should run on a different FQDN.

For my test i created a dns entry for the external FQDN, certificates and an apache config:
* external fqdn -> portal.extern.test (hostname is primary.ucs.test)
* certificates -> /opt/portal.extern.test/cert.pem
* apache config vhost config for portal.extern.test

Configuration
* ucr set umc/saml/sp-server="portal.extern.test"
* univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

This (/usr/share/univention-management-console/saml/update_metadata) fails now with 

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/saml2/metadata.py", line 92, in create_metadata_string
    config = Config().load_file(configfile, metadata_construction=True)
  File "/usr/lib/python2.7/dist-packages/saml2/config.py", line 375, in load_file
    mod = self._load(config_file)
  File "/usr/lib/python2.7/dist-packages/saml2/config.py", line 369, in _load
    return importlib.import_module(tail)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/share/univention-management-console/saml/sp.py", line 108, in <module>
    tmpfile.write(get_cert())
  File "/usr/share/univention-management-console/saml/sp.py", line 36, in get_cert
    with open(CONFIG['cert_file'], 'rb') as cert_file:
IOError: [Errno 2] No such file or directory: u'/etc/univention/ssl/auth.extern.test/cert.pem'

because /usr/share/univention-management-console/saml/sp.py assumes that the certificate is 

    "key_file": "/etc/univention/ssl/%s/private.key" % (fqdn,),
    "cert_file": "/etc/univention/ssl/%s/cert.pem" % (fqdn,),

Workaround: Always copy the certificate/key of the external FQDN to "/etc/univention/ssl/$FQDN/cert.pem" and "/etc/univention/ssl/$FQDN/private.key".

Fix: Not sure, maybe we need a new setting umc/saml/sp-server/cert_file and umc/saml/sp-server/key to make it more explicit.