Univention Bugzilla – Bug 37484
UCS@school configuration wizard fails due to SSL error while calling umc-get
Last modified: 2016-06-28 18:24:49 CEST
In a newly installed customer environment we had the following scenario: * DC Master + UCS@school * DC Backup + UCS@school * DC Slave The customer installed UCS@school also on the DC Slave and ran the UCS@school configuration wizard which failed with the following error: > MODULE ( ERROR ) : Failed to launch UMC query: ['/usr/sbin/umc-get', '-U', 'Administrator', '-y', '/tmp/tmpMEAg2R', '-s', 'master.schule.local', 'ucr', '-l', '-c', 'ldap/base', '-o', 'ldap/master/port'] > MODULE ( WARN ) : Could not query the LDAP base of the master system master.schule.local. > MODULE ( ERROR ) : Failed to get schoolinfo for school 'schule01': ('success': False, 'error': 'Der UMC-Server master.schule.local kann nicht erreicht werden.') What was confusing is that manually executing the command "/usr/sbin/umc-get -U Administrator -y /tmp/adminpwd -s master.schule.local ucr -l -c ldap/base -o ldap/master/port" on the command line was successful. Additionally 'everything else' was working (join, replication, ldapsearch, HTTPS) With a higher debug level we were able to see this in the logfile: > MODULE ( INFO ) : Executing: /usr/sbin/umc-get -d 4 -U Administrator -y /tmp/tmpqsnvhw -s master.schulen.local ucr -l -o ldap/base -o ldap/master/port > MODULE ( ERROR ) : Failed to launch UMC query: ['/usr/sbin/umc-get', '-d', '4', '-U', 'Administrator', '-y', '/tmp/tmpqsnvhw', '-s', 'master.schulen.local', 'ucr', '-l', '-o', 'ldap/base', '-o', 'ldap/master/port'] > DEBUG_INIT > MAIN ( PROCESS ) : Client: Setting up SSL configuration failed: [] > MAIN ( PROCESS ) : Client: Communication will not be encrypted! > PROTOCOL ( INFO ) : Sending UMCP AUTH REQUEST 142071238666879-1 > MAIN ( WARN ) : Client: _recv: error on socket: [Errno 104] Connection reset by peer > > MODULE ( WARN ) : Could not query the LDAP base of the master system master.schulen.local. We checked the certificates (CA, master, slave) but they seem to be okay (valid, md5sums match on both systems). I can provide USI-archives for DC Master and DC Slave if necessary.
A possible solution to this would be to replace the umc-get call (which goes directly via SSL against the UMC-server) with the univention.lib.umc_connection.UMCConnection class (which goes trough apache and the umc-web-server). Maybe it has to do with the clearing of environment variables in the UMC module processes? The SSL certificate is downloaded immediately before the umc-get call.
Created attachment 7531 [details] patch Patch: Use univention.lib.umc_connection via HTTP instead of UMCP. This works (verified in customer environment). I could not figure out what the problem is. If I start the module process without daemon.daemon.DaemonContext it works.
On the master there is a message "SSL error: unknown protocol" which can be ignored because the client sends plaintext if ssl doesn't work. On the client side I received in the verify callback a returncode of 19: 19 (self signed certificate in certificate chain)
univention/management/console/protocol/client.py: 105 » » » self.__crypto_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.__verify_cert_cb) 106 » » » try: 107 » » » » self.__crypto_context.load_verify_locations(os.path.join('/etc/univention/ssl/ucsCA', 'CAcert.pem')) → is this in the correct order?
We should apply the suggested patch. Currently, if the error occurs, we have no workaround to help our customers and it's very hard to debug ==> Erratum
Applied the patch with slightly changes in error handling. Package: ucs-school-umc-installer Version: 4.0.0-2.74.201603140735 ucs-school-umc-installer (4.0.0-2): r68054 | Bug #37484: autopep8 r68053 | Bug #37484: fix SSL problems during contacting the DC master
OK: code OK: manual test: (on slave)# /usr/sbin/umc-get -d 4 -U Administrator -y /tmp/adminpwd -s $(ucr get ldap/master) ucr -l -o ldap/base -o ldap/master/port 22.06.16 09:35:40.576 DEBUG_INIT 22.06.16 09:35:40.579 MAIN ( INFO ) : Client.connect: SSL connection established 22.06.16 09:35:40.580 PROTOCOL ( INFO ) : Sending UMCP AUTH REQUEST 146658094058025-1 22.06.16 09:35:40.582 MAIN ( INFO ) : __verify_cert_cb: Got certificate subject: <X509Name object '/C=US/ST=DE/L=DE/O=Uni Test GmbH/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=SfPHwpLc)/emailAddress=ssl@uni.dtr'> 22.06.16 09:35:40.582 MAIN ( INFO ) : __verify_cert_cb: Got certificate issuer: <X509Name object '/C=US/ST=DE/L=DE/O=Uni Test GmbH/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=SfPHwpLc)/emailAddress=ssl@uni.dtr'> 22.06.16 09:35:40.582 MAIN ( INFO ) : __verify_cert_cb: errnum=0 depth=1 ok=1 22.06.16 09:35:40.583 MAIN ( INFO ) : __verify_cert_cb: Got certificate subject: <X509Name object '/C=US/ST=DE/L=DE/O=Uni Test GmbH/OU=Univention Corporate Server/CN=sch-m.uni.dtr/emailAddress=ssl@uni.dtr'> 22.06.16 09:35:40.583 MAIN ( INFO ) : __verify_cert_cb: Got certificate issuer: <X509Name object '/C=US/ST=DE/L=DE/O=Uni Test GmbH/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=SfPHwpLc)/emailAddress=ssl@uni.dtr'> 22.06.16 09:35:40.583 MAIN ( INFO ) : __verify_cert_cb: errnum=0 depth=0 ok=1 22.06.16 09:35:40.735 PARSER ( INFO ) : UMCP RESPONSE 146658094058025-1 parsed successfully 22.06.16 09:35:40.735 PROTOCOL ( INFO ) : Received UMCP RESPONSE 146658094058025-1 22.06.16 09:35:40.735 PROTOCOL ( INFO ) : Sending UMCP GET REQUEST 146658094058021-0 22.06.16 09:35:41.241 PARSER ( INFO ) : UMCP RESPONSE 146658094058021-0 parsed successfully 22.06.16 09:35:41.241 PROTOCOL ( INFO ) : Received UMCP RESPONSE 146658094058021-0 Response: GET data length : 141 message length: 85 --- ARGUMENTS: ucr MIMETYPE : application/json STATUS : 200 MESSAGE : None RESULT : {'ldap/master/port': '7389', 'ldap/base': 'dc=uni,dc=dtr'}
(In reply to Daniel Tröder from comment #7) > OK: code > OK: manual test: > > (on slave)# /usr/sbin/umc-get -d 4 -U Administrator -y /tmp/adminpwd -s > $(ucr get ldap/master) ucr -l -o ldap/base -o ldap/master/port umc-get is not used anymore in the new code, so this manual test is useless. Also the behavior of umc-get called *in* that UMC process/state causes these problems - it all went fine when calling the same command on CLI.
UCS@school 4.1 R2 has been released: http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf If this error occurs again, please use "Clone This Bug".