Bug 38125 - Installation gets stuck in univention-ssl.postinst
Installation gets stuck in univention-ssl.postinst
Product: UCS
Classification: Unclassified
Component: UCS Installer
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Philipp Hahn
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2015-03-25 07:04 CET by Stefan Gohmann
Modified: 2015-07-09 09:00 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-03-25 07:04:36 CET
We received the feedback that an installation got stuck at univention-ssl.postinst

Ticket #2015032021000372

It looks like the UCS system receives a hostname/domainname which is too long for the certificate generation. The following error message occurred:
 string is too long, it needs to be less than 64 bytes long

The UCS installer should not use the hostname / domainname received via DHCP because it is overwritten by system-setup.
Comment 1 Philipp Hahn univentionstaff 2015-04-24 16:25:05 CEST
$ . /usr/share/univention-ssl/make-certificates.sh
$ gencert /etc/univention/ssl/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev

Common Name (eg, YOUR name) [0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.phahn.dev]:string is too long, it needs to be less than  64 bytes long

There are several limits defined from RFC3280 in openssl/crypto/asn1/a_strnid.c:
#define ub_name                         32768
#define ub_common_name                  64
#define ub_locality_name                128
#define ub_state_name                   128
#define ub_organization_name            64
#define ub_organization_unit_name       64
#define ub_title                        64
#define ub_email_address                128
#define ub_serial_number                64

So setting the UCRVs ssl/{country,state,locality,organization,organizationalunit,email} to anything longer than those limits will also break the generation.

Even simply entering a long OU in USS breaks the generation: (another bug for another day):
- Name der Organisation: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789BuggyUCS
- Vollständiger Rechnername: xxx.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.zzz
- LDAP-Basis: dc=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,dc=zzz
As univention-ssl does NO error handling, the installation continues and fails miserably after some time hiding the bug.

RFC 4630 updated is with internationalization concerns, while RFC 5280 replaces the original RFC:
- it still defines ub-common-name=64.
- it states that subjectAltName should be used for hostnames/IPs/URIs, as there are many issues with upper/lower-case handling and international character sets.

Also note, that a DNS name has the following limits: 
> - labels          63 octets or less
> - names           255 octets or less

> The labels must follow the rules for ARPANET host names.  They must
> start with a letter, end with a letter or digit, and have as interior
> characters only letters, digits, and hyphen.  There are also some
> restrictions on the length.  Labels must be 63 characters or less.

From that I conclude that there are several cases, were the FQDN will not fit onto the Common Name (CN), but only the hostname: <http://stackoverflow.com/questions/21197331/x-509-certificate-is-it-a-good-idea-or-bad-to-add-localhost-in-subject-altern> nicely quotes several sections from RFC5280 which discourage the use of commonName and recommend subAltName:

9.2.1 Subject Alternative Name Extension    
Certificate Field: extensions:subjectAltName
Required/Optional: Required

9.2.2 Subject Common Name Field 
Certificate Field: subject:commonName (OID
Required/Optional: Deprecated (Discouraged, but not prohibited)

Further finding:
- dhcpd.conf/get-lease-hostnames (univentionDhcpGetLeaseHostnames) does a reverse lookup of the IP and sets the FQDN(!) as "option hostname".
- udhcpd validates this, fails on the '.' used as separator, and sets hostname="bad" - it only expects a hostname (without the domain part!)

Because of that the following can be used to re-produce the bug:

$ cat >>/etc/dhcp/local.conf <<__DHCP__
group {
        use-host-decl-names on;
        host ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.phahn.dev {
                hardware ethernet 52:54:00:13:cb:86;
                option host-name "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

The problem is, that univention-ssl is pulled in as a dependency of univention-apache ← univention-management-console-frontend ← univention-management-console-module-setup before USS has a change to configure the host name.

r60191 | Bug #38125 SSL: Update copyright
r60192 | Bug #38125 SSL: Remove interactive usage
 I therefore choose to fix univention-ssl and to remove the endless loop there, as USS has all the code to validate the UCS specific limitations like hostname length.

Package: univention-ssl
Version: 9.0.4-4.156.201504241620
Branch: ucs_4.0-0
Scope: errata4.0-1

r60193 | Bug #38125 SSL: Remove interactive usage YAML
Comment 2 Felix Botner univentionstaff 2015-05-05 13:43:20 CEST
OK, works

Creating certificate: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.w2k12.test
Generating RSA private key, 2048 bit long modulus
problems making Certificate Request
140009670063784:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64
Creating certificate: ucs-9862.www.intranet
Generating RSA private key, 2048 bit long modulus

OK - /etc/univention/ssl
OK - univention-ldapsearch -ZZZ

Comment 3 Janek Walkenhorst univentionstaff 2015-05-07 17:41:03 CEST