Univention Bugzilla – Bug 38859
Generating a certificate fails if len(FQDN) > 64; join stalls
Last modified: 2017-04-07 10:22:59 CEST
If a new system wants to join, the DC generates a certificate for it in a listener script. This certificate includes the new system's FQDN. If this FQDN is too long, the generation process exits with "CERTIFICATE: can't create certificate, Common Name too long: %s". The joining system waits forever while trying "scp $DC:/certificate certficate" over and over again.
Removed the check completely in univention-ssl 9.0.5-1.158.201507081421 FQDN is limited to somewhat 256 chars IIRC. Yet this is not the right place to check it.
(In reply to Dirk Wiesenthal from comment #1) > Removed the check completely in > univention-ssl 9.0.5-1.158.201507081421 FAIL! > FQDN is limited to somewhat 256 chars IIRC. Yet this is not the right place > to check it. Bug #38125 comment 1, especially the part about "ub-common-name"!
FYI: wget (<< 1.13 UCS-3.2) does not support "X509v3 Subject Alternative Name": <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743290> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409938> <https://savannah.gnu.org/bugs/index.php?20421> $ LANG=C wget -S -O/dev/null http://www.univention.de/en/products/ucs/app-catalogue-for-univention-corporate-server/ ... Location: https://www.univention.com/products/ucs/app-catalogue-for-univention-corporate-server/ ... ERROR: certificate common name `univention.com' doesn't match requested host name `www.univention.com'. $ openssl s_client -connect univention.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep univention Subject: CN=univention.com DNS:univention.com, DNS:www.univention.com
* The openssl configuration of the ucsCA is changed to copy extensions from CSRs to certificates. * if len(FQDN)>64 the openssl configuration for generating the certificate gets "subjectAltName" added and the hostname is used as CN. * if len(hostname)>63 the hostname is replaced with "hostname-to-long", so non-interactive scripts and the listener don't crash, but the user notices the problem (when trying to use it). If len(FQDN)>64 a new section is added to the resulting /etc/univention/ssl/$fqdn/cert.pem: ----------------- X509v3 Subject Alternative Name: DNS:$hostname, DNS:$hostname.$domainname ----------------- Commit: 63663
Commit 63695 changes the behavior: * the fqdn is always written to SAN * if the length of the fqdn is >64: the hostname (w/o domain) is used for CN and added to SAN, else the fqdn is used in the CN too * if openssl terminates with an error, an exception is raised by the listener
BTW: cool new FQDN: "test.exa.mpl;\"touch /mkrootshell\"" :D But works only if initiated by creating/changing a hostname (join, UMC/UDM) → needs Administrator group level access.
Created attachment 7166 [details] patch for security whole (In reply to Daniel Tröder from comment #6) > BTW: cool new FQDN: "test.exa.mpl;\"touch /mkrootshell\"" :D > > But works only if initiated by creating/changing a hostname (join, UMC/UDM) > → needs Administrator group level access. This is not nice. The attached patch should fix it?!
Created attachment 7167 [details] patch for security whole missing argument+import
Created attachment 7168 [details] patch for security whole More simple.
r63728: applied patch - thank you!
FAIL: UMC/UDM still complains about |FQDN|>=64 abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ $ udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ --set network="$(udm networks/network list|sed -ne 's/^DN: //p;T;q')" management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py: 1769 »···def check_common_name_length(self): 1770 »···»···univention.debug.debug( univention.debug.ADMIN, univention.debug.INFO, 'check_common_name_length with … 1771 »···»···if len(self['ip']) > 0 and len(self['dnsEntryZoneForward']) > 0: 1772 »···»···»···for zone in self['dnsEntryZoneForward']: 1773 »···»···»···»···if zone == '': 1774 »···»···»···»···»···continue 1775 »···»···»···»···zoneName = univention.admin.uldap.explodeDn( zone[ 0 ], 1 )[ 0 ] 1776 »···»···»···»···if len(zoneName) + len(self['name']) >= 63: 1777 »···»···»···»···»···univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'simpleComputer: len… 1778 »···»···»···»···»···raise univention.admin.uexceptions.commonNameTooLong Quote from Bug #38125 comment 1: > Also note, that a DNS name has the following limits: > <http://tools.ietf.org/html/rfc1035section-2.3.4> > > - labels 63 octets or less > > - names 255 octets or less FAIL: udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ subjectAltName is not copied from request to certificate → An Existing /etc/univention/ssl/openldap.conf is missing the "copy_extionsions = copy" OK: /var/log/univention/listener.log OK: openssl x509 -noout -subject -in cert.pem -nameopt multiline FAIL: Deleting the host and re-adding it fails: $ udm computers/memberserver remove --dn "cn=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ,cn=computers,$(ucr get ldap/base)" $ udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ $ tail /var/log/univention/listener.log failed to update database TXT_DB error number 2 unable to write 'random state' This is because the certificate does not get revoked on removal $ . make-certificates.sh $ list_cert_names $ revoke_cert abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ FAIL:has_valid_cert() does not work with long FQDNs: (. /usr/share/univention-ssl/make-certificates.sh;has_valid_cert abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname);echo $?) This is why the old computer certificate is not revoked! OK: r63728 next time no need for tempfile: sh -c 'echo 0=$0 1=$1 2=$2' a b c subprocess.call(('sh', '-c', '. /usr/share/univention-ssl/make-certificates.sh && gencert "$@"', '-', fqdn, fqdn)) And why not use »/usr/sbin/univention-certificate new -name "$name"« as all other listener handlers do? FAIL: r63695 bashism vs. /bin/sh FAIL: r63663 subjectAltName is not copied from request to certificate as "copy_extensions = copy" does not get added to an existing /etc/univention/ssl/openssl.conf[CA_default]. This requires a new CA hierarchy to be initialized with renewing every certificate. SKIP: r63011 FAIL: extensions-example.sh now no longer works! ... FYI: ~phahn/BUG/38859-SSL-Check-maximum-length-of-SSL-fields.patch
Fixed in 64182. Added changelog entry.
Missed univention-system-setup and changelog in commit. It is in 64183.
OK: r64182 OK: r64183 The tool is somehow inconsistent with its handling of FQDN vs. HOSTNAME: OK: DEBIAN_FRONTEND=noninteractive aptitude -y install '?source-package(univention-system-setup)~i' OK: maxLength @ UMC-USS OK: DEBIAN_FRONTEND=noninteractive aptitude -y install '?source-package(univention-ssl)?not(?name(udeb))~i' OK: univention-certificate list OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz-0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz-01234-56789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) # too long OK: univention-certificate check -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ FAIL: univention-certificate check -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) FAIL: univention-certificate dump -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ OK: univention-certificate dump -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) FAIL: univention-certificate renew -days 31 -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ OK: univention-certificate renew -days 31 -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) OK: univention-certificate revoke -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ OK: univention-certificate revoke -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) OK: python -c 'i from M2Crypto import X509 from sys import argv f = argv[1] c = X509.load_cert(f) e = c.get_ext("subjectAltName") v = e.get_value() a = v.split(", ") a = [_[len("DNS:"):] for _ in a if _.startswith("DNS:")] print a ' abcdefghijklmnopqrstuvwxyz-0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)/cert.pem OK: ucr set ssl/organization=01234567890123456789012345678901234567890123456789012345678901234 (. /usr/share/univention-ssl/make-certificates.sh;set -x;init) # ssl/organization too long; max 64 FIXED: ucr set ssl/country=01 ssl/state=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/locality=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/organization=0123456789012345678901234567890123456789012345678901234567890123 ssl/organizationalunit=0123456789012345678901234567890123456789012345678901234567890123 ssl/email=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/common=0123456789012345678901234567890123456789012345678901234567890123 (. /usr/share/univention-ssl/make-certificates.sh;set -x;init) # -bash: $5 ist nicht gesetzt. # cp: reguläre Datei „ucsCA/newcerts/00.pem“ kann nicht angelegt werden: Datei oder Verzeichnis nicht gefunden FYI: The symlink "HOSTNAME -> FQDN" is only created by the listener; using the CLI directly does not create the link automatically; it must be done manually. r64184 | Bug #38859 ssl: Fix init() Package: univention-ssl Version: 10.0.0-6.163.201510022116 Branch: ucs_4.1-0
The 4.1 installation now fails: Oct 4 13:42:07 in-target: Setting up univention-ssl (10.0.0-6.163.201510022116) ... Oct 4 13:42:07 in-target: Create ssl/country Oct 4 13:42:07 in-target: Create ssl/state Oct 4 13:42:07 in-target: Create ssl/locality Oct 4 13:42:07 in-target: Create ssl/organization Oct 4 13:42:07 in-target: Create ssl/organizationalunit Oct 4 13:42:07 in-target: Create ssl/common Oct 4 13:42:07 in-target: Create ssl/email Oct 4 13:42:07 in-target: Create ssl/default/days Oct 4 13:42:07 in-target: Create ssl/validity/warning Oct 4 13:42:07 in-target: Create ssl/validity/check Oct 4 13:42:07 in-target: Create ssl/default/hashfunction Oct 4 13:42:07 in-target: Create ssl/default/bits Oct 4 13:42:07 in-target: Sun Oct 4 09:42:07 EDT 2015 Oct 4 13:42:07 in-target: Generating RSA private key, 2048 bit long modulus ... Oct 4 13:42:07 in-target: ' Oct 4 13:42:07 in-target: Certificate is to be certified until Oct 4 13:42:07 in-target: Oct 2 13:42:07 2020 GMT Oct 4 13:42:07 in-target: (1825 days) Oct 4 13:42:07 in-target: Oct 4 13:42:07 in-target: Oct 4 13:42:07 in-target: Write out database with 1 new entries Oct 4 13:42:07 in-target: Data Base Updated Oct 4 13:42:07 in-target: /var/lib/dpkg/info/univention-ssl.postinst: line 85: configure: unbound variable Oct 4 13:42:07 in-target: dpkg: error processing univention-ssl (--configure): Oct 4 13:42:07 in-target: subprocess installed post-installation script returned error exit status 1 Oct 4 13:42:07 in-target: dpkg: dependency problems prevent configuration of univention-apache: Oct 4 13:42:07 in-target: univention-apache depends on univention-ssl; however: Oct 4 13:42:07 in-target: Package univention-ssl is not configured yet. I'm not sure if this issue is the cause for it, but some days ago the 4.1 installation worked.
Created attachment 7200 [details] Debian installer syslog
(In reply to Stefan Gohmann from comment #15) > Oct 4 13:42:07 in-target: /var/lib/dpkg/info/univention-ssl.postinst: line > 85: configure: unbound variable I've fixed this error: r64193 The DVD installation works again.
OK: ucr set ssl/host/extensions=$PWD/extensions-example.sh OK: r64205 FIXED: sslbase=/some/where/else univention-certificate dump r64209 | Bug #38859 ssl: Fix hard-coded SSL base ADDED: r64210 | Bug #38859 ssl: Add unit test VERIFIED
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 31368 has been marked as a duplicate of this bug. ***
*** Bug 34101 has been marked as a duplicate of this bug. ***
*** Bug 34102 has been marked as a duplicate of this bug. ***
*** Bug 32763 has been marked as a duplicate of this bug. ***