Univention Bugzilla – Bug 38125
Installation gets stuck in univention-ssl.postinst
Last modified: 2015-07-09 09:00:10 CEST
We received the feedback that an installation got stuck at univention-ssl.postinst Ticket #2015032021000372 It looks like the UCS system receives a hostname/domainname which is too long for the certificate generation. The following error message occurred: string is too long, it needs to be less than 64 bytes long The UCS installer should not use the hostname / domainname received via DHCP because it is overwritten by system-setup.
$ . /usr/share/univention-ssl/make-certificates.sh $ gencert /etc/univention/ssl/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev Common Name (eg, YOUR name) [0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev]:string is too long, it needs to be less than 64 bytes long There are several limits defined from RFC3280 in openssl/crypto/asn1/a_strnid.c: #define ub_name 32768 #define ub_common_name 64 #define ub_locality_name 128 #define ub_state_name 128 #define ub_organization_name 64 #define ub_organization_unit_name 64 #define ub_title 64 #define ub_email_address 128 #define ub_serial_number 64 So setting the UCRVs ssl/{country,state,locality,organization,organizationalunit,email} to anything longer than those limits will also break the generation. Even simply entering a long OU in USS breaks the generation: (another bug for another day): - Name der Organisation: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789BuggyUCS - Vollständiger Rechnername: xxx.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.zzz - LDAP-Basis: dc=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,dc=zzz As univention-ssl does NO error handling, the installation continues and fails miserably after some time hiding the bug. RFC 4630 updated is with internationalization concerns, while RFC 5280 replaces the original RFC: - it still defines ub-common-name=64. - it states that subjectAltName should be used for hostnames/IPs/URIs, as there are many issues with upper/lower-case handling and international character sets. Also note, that a DNS name has the following limits: <http://tools.ietf.org/html/rfc1035section-2.3.4> > - labels 63 octets or less > - names 255 octets or less <http://tools.ietf.org/html/rfc1035section-2.3.1> > The labels must follow the rules for ARPANET host names. They must > start with a letter, end with a letter or digit, and have as interior > characters only letters, digits, and hyphen. There are also some > restrictions on the length. Labels must be 63 characters or less. From that I conclude that there are several cases, were the FQDN will not fit onto the Common Name (CN), but only the hostname: <http://stackoverflow.com/questions/21197331/x-509-certificate-is-it-a-good-idea-or-bad-to-add-localhost-in-subject-altern> nicely quotes several sections from RFC5280 which discourage the use of commonName and recommend subAltName: 9.2.1 Subject Alternative Name Extension Certificate Field: extensions:subjectAltName Required/Optional: Required 9.2.2 Subject Common Name Field Certificate Field: subject:commonName (OID 2.5.4.3) Required/Optional: Deprecated (Discouraged, but not prohibited) Further finding: - dhcpd.conf/get-lease-hostnames (univentionDhcpGetLeaseHostnames) does a reverse lookup of the IP and sets the FQDN(!) as "option hostname". - udhcpd validates this, fails on the '.' used as separator, and sets hostname="bad" - it only expects a hostname (without the domain part!) Because of that the following can be used to re-produce the bug: $ cat >>/etc/dhcp/local.conf <<__DHCP__ group { use-host-decl-names on; host ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.phahn.dev { fixed-address 10.200.17.225; hardware ethernet 52:54:00:13:cb:86; option host-name "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; } } __DHCP__ The problem is, that univention-ssl is pulled in as a dependency of univention-apache ← univention-management-console-frontend ← univention-management-console-module-setup before USS has a change to configure the host name. r60191 | Bug #38125 SSL: Update copyright r60192 | Bug #38125 SSL: Remove interactive usage I therefore choose to fix univention-ssl and to remove the endless loop there, as USS has all the code to validate the UCS specific limitations like hostname length. Package: univention-ssl Version: 9.0.4-4.156.201504241620 Branch: ucs_4.0-0 Scope: errata4.0-1 r60193 | Bug #38125 SSL: Remove interactive usage YAML 2015-04-24-univention-ssl.yaml
OK, works univention/setup.log: Creating certificate: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.w2k12.test Generating RSA private key, 2048 bit long modulus ... problems making Certificate Request 140009670063784:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64 ... Creating certificate: ucs-9862.www.intranet Generating RSA private key, 2048 bit long modulus ... OK - /etc/univention/ssl OK - univention-ldapsearch -ZZZ OK - YAML
<http://errata.univention.de/ucs/4.0/187.html>