Bug 39476 - Allow Apache restart during remote setup
Allow Apache restart during remote setup
Product: UCS
Classification: Unclassified
Component: System setup
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Felix Botner
Stefan Gohmann
: interim-2
Depends on:
Blocks: 38820 39573
  Show dependency treegraph
Reported: 2015-10-05 16:38 CEST by Stefan Gohmann
Modified: 2015-11-17 12:12 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-05 16:38:26 CEST
Currently, the Apache restarted is blocked during the system setup. The restart uses the new SSL configuration / certificate. If the setup is done via HTTPS on an external browser, the browser won't get a valid answer.

We should load the new certificate after the setup has been finished even if apache is restarted during the setup.

After fixing this issue, the apache reload workaround should be removed from the SAML join script.
Comment 1 Felix Botner univentionstaff 2015-10-15 13:47:35 CEST
setup-join.sh now calls /usr/share/univention-updater/disable-apache2-umc with "--exclude-apache" (no longer removes execution bits from apache), copies the current certificate, key and ca to temporary files and sets apache2/ssl variables to these files.

Even if apache is restarted during setup (which is now possible) the old certificates are used.

To cleanup script cleanup-pre.d/99_restart_umc simply unsets the apache2/ssl variables and restarts apache. So after the cleanup apache ssl uses the new certificates (created during setup).

univention-system-setup: r64511
changelog: r64512
Comment 2 Stefan Gohmann univentionstaff 2015-10-27 07:35:31 CET
The remote HTTPS configuration via system setup is now possible and I've removed the apache reload workaround from the SAML join script. The apache is restarted during the setup.

Changelog: OK
Comment 3 Stefan Gohmann univentionstaff 2015-11-17 12:12:18 CET
UCS 4.1 has been released:

If this error occurs again, please use "Clone This Bug".