Univention Bugzilla – Bug 31941
Wrong permissions after renewing complete certificate chain
Last modified: 2015-01-12 12:37:47 CET
After renewing the complete SSL certificate chain, the listener module recreated all certificates on DC master in /etc/univention/ssl/. All permissions seem to be correct but for /etc/univention/ssl/$MASTERFQDN/* the read permission for group "DC Backup Hosts" was missing and therefore all DC backups were unable to replicate the SSL certificate chain.
Any log messages or tracebacks in the listener.log?
Reported again: Ticket #2013121121001955 I've re-checked it and the DC Backup Hosts is missing for the CA. root@master201:~# ls -la /etc/univention/ssl/ucsCA/ insgesamt 56 drwxr-xr-x 6 root root 4096 18. Dez 07:36 . drwxr-xr-x 5 root root 4096 18. Dez 07:36 .. -rw-r--r-- 1 root root 1883 18. Dez 07:36 CAcert.pem -rw------- 1 root root 3570 18. Dez 07:36 CAreq.pem drwx------ 2 root root 4096 18. Dez 07:36 certs drwx------ 2 root root 4096 18. Dez 07:36 crl -rw-r--r-- 1 root root 293 18. Dez 07:36 index.txt -rw-r--r-- 1 root root 21 18. Dez 07:36 index.txt.attr -rw-r--r-- 1 root root 21 18. Dez 07:36 index.txt.attr.old -rw-r--r-- 1 root root 146 18. Dez 07:36 index.txt.old drwx------ 2 root root 4096 18. Dez 07:36 newcerts drwx------ 2 root root 4096 18. Dez 07:36 private -rw-r--r-- 1 root root 3 18. Dez 07:36 serial -rw-r--r-- 1 root root 3 18. Dez 07:36 serial.old root@master201:~# ls -la /etc/univention/ssl.orig/ucsCA/ insgesamt 56 drwxrwxr-x 6 root DC Backup Hosts 4096 30. Nov 18:08 . drwxr-xr-x 5 root DC Backup Hosts 4096 30. Nov 18:08 .. -rw-r--r-- 1 root DC Slave Hosts 2053 30. Nov 17:18 CAcert.pem -rw-rw---- 1 root DC Backup Hosts 3669 30. Nov 17:18 CAreq.pem drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 18:08 certs drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 17:18 crl -rw-r--r-- 1 root nogroup 291 30. Nov 18:08 index.txt -rw-r--r-- 1 root nogroup 21 30. Nov 18:08 index.txt.attr -rw-rw-r-- 1 root DC Backup Hosts 21 30. Nov 17:18 index.txt.attr.old -rw-rw-r-- 1 root DC Backup Hosts 145 30. Nov 17:18 index.txt.old drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 18:08 newcerts drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 17:18 private -rw-r--r-- 1 root nogroup 3 30. Nov 18:08 serial -rw-rw-r-- 1 root DC Backup Hosts 3 30. Nov 17:18 serial.old root@master201:~# root@master201:~# ls -la /etc/univention/ssl/ insgesamt 28 drwxr-xr-x 5 root root 4096 18. Dez 07:36 . drwxr-xr-x 13 root root 4096 18. Dez 07:36 .. lrwxrwxrwx 1 root root 46 18. Dez 07:36 master201 -> /etc/univention/ssl/master201.deadlock20.local drwxr-x--- 2 root DC Backup Hosts 4096 18. Dez 07:36 master201.deadlock20.local lrwxrwxrwx 1 root root 47 18. Dez 07:36 master201v -> /etc/univention/ssl/master201v.deadlock20.local drwxr-x--- 2 root DC Backup Hosts 4096 18. Dez 07:36 master201v.deadlock20.local -rw------- 1 root root 3331 18. Dez 07:36 openssl.cnf -rw------- 1 root root 20 18. Dez 07:36 password drwxr-xr-x 6 root root 4096 18. Dez 07:36 ucsCA root@master201:~# ls -la /etc/univention/ssl.orig/ insgesamt 28 drwxr-xr-x 5 root DC Backup Hosts 4096 30. Nov 18:08 . drwxr-xr-x 13 root root 4096 18. Dez 07:36 .. lrwxrwxrwx 1 root DC Backup Hosts 46 30. Nov 17:18 master201 -> /etc/univention/ssl/master201.deadlock20.local drwxr-x--- 2 master201$ DC Backup Hosts 4096 30. Nov 17:18 master201.deadlock20.local lrwxrwxrwx 1 root nogroup 47 30. Nov 18:08 master201v -> /etc/univention/ssl/master201v.deadlock20.local drwxr-x--- 2 master201v$ DC Backup Hosts 4096 30. Nov 18:08 master201v.deadlock20.local -rw-rw---- 1 root DC Backup Hosts 3373 30. Nov 17:18 openssl.cnf -rw-rw---- 1 root DC Backup Hosts 20 30. Nov 17:18 password drwxrwxr-x 6 root DC Backup Hosts 4096 30. Nov 18:08 ucsCA root@master201:~#
*** Bug 32988 has been marked as a duplicate of this bug. ***
(In reply to Stefan Gohmann from comment #3) > *** Bug 32988 has been marked as a duplicate of this bug. *** This report should be checked / fixed as well.
(In reply to Sönke Schwardt-Krummrich from comment #0) > After renewing the complete SSL certificate chain, the listener module Following <http://sdb.univention.de/content/15/1/de/erneuern-der-ssl_zertifikate.html> leads to -rw-r--r-- 1 root root 2,1k 6. Feb 15:53 CAcert.pem instead of -rw-r--r-- 1 root DC Slave Hosts 2,1k 29. Nov 12:13 CAcert.pem . (In reply to Stefan Gohmann from comment #2) > Reported again: Ticket #2013121121001955 > I've re-checked it and the DC Backup Hosts is missing for the CA. Using the System-Setup UMC module leads to root:root for almost everything. (In reply to Stefan Gohmann from comment #4) > > *** Bug 32988 has been marked as a duplicate of this bug. *** > This report should be checked / fixed as well. Using univention-certificate new -name foo leads to drwxr-x--- 2 root DC Backup Hosts 4,1k 6. Feb 16:25 /etc/univention/ssl/foo -rw------- 1 root DC Backup Hosts 4,4k 6. Feb 16:25 […]/cert.pem -rw------- 1 root DC Backup Hosts 3,3k 6. Feb 16:25 […]/openssl.cnf -rw------- 1 root DC Backup Hosts 891 6. Feb 16:25 […]/private.key -rw------- 1 root DC Backup Hosts 802 6. Feb 16:25 […]/req.pem instead of drwxr-x--- 2 root DC Backup Hosts 4,1k 6. Feb 16:24 /etc/univention/ssl/bar/ -rw-r----- 1 root DC Backup Hosts 4,4k 6. Feb 16:24 […]/cert.pem -rw-r----- 1 root DC Backup Hosts 3,3k 6. Feb 16:24 […]/openssl.cnf -rw-r----- 1 root DC Backup Hosts 887 6. Feb 16:24 […]/private.key -rw-r----- 1 root DC Backup Hosts 802 6. Feb 16:24 […]/req.pem .
(In reply to Janek Walkenhorst from comment #5) > Following > <http://sdb.univention.de/content/15/1/de/erneuern-der-ssl_zertifikate.html> This is due to a missing chown/chmod in the SDB article. > (In reply to Stefan Gohmann from comment #2) > Using the System-Setup UMC module leads to root:root for almost everything. This is because make-certificate.sh→init does not set the permissions. (During installation they are fixed by 20univention-join.inst) > Using > univention-certificate new -name foo This is due to <https://forge.univention.org/bugzilla/show_bug.cgi?id=26572#c2>.
(In reply to Janek Walkenhorst from comment #6) > This is due to a missing chown/chmod in the SDB article. → Bug 34080 > This is because make-certificate.sh→init does not set the permissions. > (During installation they are fixed by 20univention-join.inst) > > This is due to > <https://forge.univention.org/bugzilla/show_bug.cgi?id=26572#c2>. Fixed with univention-ssl (8.0.0-4): The permissions are set to be like they are after installation. Advisory: 2014-02-07-univention-ssl.yaml
OK: svn47687 OK: apt-get install univention-ssl=8.0.0-4.138.201402071620 OK: univention-certificate new -name foo OK: umask 0077 ; univention-certificate new -name bar OK: univention-certificate renew -name foo -days 365 OK(*): UMC Basis Settings Certificate Change OK: announce_errata -V 2014-02-07-univention-ssl.yaml (*): In one test case I had a /etc/univention/ssl/ directory missing the host certificate, which caused slapd, listener, notifier, apache2 to fail. It was caused by changing the SSL settings through UMC Basis Settings. See Bug #31941 for details
http://errata.univention.de/ucs/3.2/52.html