Bug 30294 – Automatic renewal of ssl certificates

Bug 30294 - Automatic renewal of ssl certificates


Summary:	Automatic renewal of ssl certificates

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:	https://help.univention.com/t/renewin...
Keywords:

Duplicates:	50723 (view as bug list)
Depends on:	54687
Blocks:	50723
	Show dependency tree / graph

Reported:	2013-02-06 08:20 CET by Tim Petersen
Modified:	2024-01-26 15:02 CET (History)
CC List:	13 users (show)

See Also:	50724 55067 56692 50526
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	5: Will affect all installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020011321000236, 2020051521000734, 2020071621000176, 2020082421000122, 2020071821000234, 2020062521000884, 2021020121000406
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Patch for "univention-certificate renewAll" (2.67 KB, patch) 2016-10-11 14:42 CEST, Julius Hinrichs	Details \| Diff
Updated patch (2.65 KB, patch) 2016-10-11 15:07 CEST, Julius Hinrichs	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Petersen

2013-02-06 08:20:27 CET

As requested in the forum:
If it is possible to automate the renewal of ssl certificates as described in sdb article #1000, an implementation could be proved.

Comment 1 Julius Hinrichs

2016-10-11 14:42:48 CEST

Created attachment 8086 [details]
Patch for "univention-certificate renewAll"

In this patch, "univention-certificate renewAll" automates most of the procedure. However, the new certificates still need to be copied to the hosts manually.
Although "univention-scp" and "univention-rsync" allow remote copying of files using "/etc/machine.secret" instead of a typed password, this only works for user "$(hostname)\$", which does not necessarily have sufficient permissions. In the current security environment, "/etc/univention/ssl/<host>/" is readable and writable only to "root" and "DC Backup Hosts". So, access in either direction fails until one chooses an authorized user manually.

Comment 2 Florian Best

2016-10-11 14:57:09 CEST

+	eval $(ucr shell domainname)
+	eval $(ucr shell ssl/default/days)
→ please quote. this can also be done in one call:
eval "$(ucr shell ssl/default/days domainname)"

Please rename renewAll into rename-all.

Comment 3 Julius Hinrichs

2016-10-11 15:07:41 CEST

Created attachment 8087 [details]
Updated patch

Comment 4 Stefan Gohmann

2017-06-16 20:38:09 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 5 Philipp Hahn

2020-03-12 08:17:23 CET

*** Bug 50723 has been marked as a duplicate of this bug. ***

Comment 7 Dirk Schnick

2020-08-24 15:12:52 CEST

Another customer would be glad if manual cert renew is not necessary anymore. Added ticket number

Comment 8 Christian Völker

2020-10-20 15:50:00 CEST

Customer comment:

Der Artikel zum Erneuern der Zertifikatskette scheint auch Probleme zu machen, er findet das ganze Prozedere reichlich fehleranfällig und umständlich. Ob das nicht automatisch gehen könnte?

Changing to aug report instead of feature request as it is the cause for very frequent support tickets.

Comment 9 Christian Völker

2020-12-04 15:35:46 CET

JFYI:
Found in forum:

"Hallo,
ich bekomme mittlerweile die Meldung, dass mein Root-Zertifikat abläuft (wow, wie schnell 5 Jahre doch rum sind :wink: ).

Meine Frage: ich hab hier im Forum 2 Artikel gefunden, die man abarbeiten soll. Ist das immer noch aktuell oder gibt es mittlerweile eine “einfachere Methode” für das erneuern von dem Root-Zertf."

Comment 10 Ingo Steuwer

2021-02-02 12:19:42 CET

as discussed internally: next step should be one script or a set of scripts that assists in the renewal of certificates and checks if the steps have been completed successfully.

Comment 11 Daniel Duchon

2021-02-03 08:36:37 CET

Another Customer is asking about that.