Univention Bugzilla – Bug 30294
Automatic renewal of ssl certificates
Last modified: 2024-01-26 15:02:46 CET
As requested in the forum: If it is possible to automate the renewal of ssl certificates as described in sdb article #1000, an implementation could be proved.
Created attachment 8086 [details] Patch for "univention-certificate renewAll" In this patch, "univention-certificate renewAll" automates most of the procedure. However, the new certificates still need to be copied to the hosts manually. Although "univention-scp" and "univention-rsync" allow remote copying of files using "/etc/machine.secret" instead of a typed password, this only works for user "$(hostname)\$", which does not necessarily have sufficient permissions. In the current security environment, "/etc/univention/ssl/<host>/" is readable and writable only to "root" and "DC Backup Hosts". So, access in either direction fails until one chooses an authorized user manually.
+ eval $(ucr shell domainname) + eval $(ucr shell ssl/default/days) → please quote. this can also be done in one call: eval "$(ucr shell ssl/default/days domainname)" Please rename renewAll into rename-all.
Created attachment 8087 [details] Updated patch
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
*** Bug 50723 has been marked as a duplicate of this bug. ***
Another customer would be glad if manual cert renew is not necessary anymore. Added ticket number
Customer comment: Der Artikel zum Erneuern der Zertifikatskette scheint auch Probleme zu machen, er findet das ganze Prozedere reichlich fehleranfällig und umständlich. Ob das nicht automatisch gehen könnte? Changing to aug report instead of feature request as it is the cause for very frequent support tickets.
JFYI: Found in forum: "Hallo, ich bekomme mittlerweile die Meldung, dass mein Root-Zertifikat abläuft (wow, wie schnell 5 Jahre doch rum sind :wink: ). Meine Frage: ich hab hier im Forum 2 Artikel gefunden, die man abarbeiten soll. Ist das immer noch aktuell oder gibt es mittlerweile eine “einfachere Methode” für das erneuern von dem Root-Zertf."
as discussed internally: next step should be one script or a set of scripts that assists in the renewal of certificates and checks if the steps have been completed successfully.
Another Customer is asking about that.