Univention Bugzilla – Bug 39849
block update to 4.1-0 if ssl/default/hashfunction=md5
Last modified: 2019-01-03 07:22:47 CET
At least wget (gnutls) no longer supports the md5WithRSAEncryption signature algorithm in certificates, -> wget https fails Therefor 92univention-management-console-web-server.inst failed on my system because management/univention-management-console-frontend/conffiles/setup_saml_sp.py wants to download some metadata from https://ucs-sso... with wget. Another problem is that after changing ssl/default/hashfunction to sha256 and renew all my certificates the "signature algorithm" was still md5, because /etc/univention/ssl/openssl.cnf is not updated when setting ssl/default/hashfunction and the default_md remains md5. I had to manually replace the default_md setting in openssl.cnf and then renew the certificates.
Also happened in Ticket#2016012721000469.
To change the hashing function in /etc/univention/ssl/openssl.cnf: # cd /etc/univention/ssl/ # eval "$(ucr shell)" # . /usr/share/univention-ssl/make-certificates.sh # mk_config openssl.cnf "$(cat password)" "$ssl_default_days" "$ssl_common"
UCS-4.1 is out-of-maintenance, but UCS-3.3 is still maintained, so they will get this problem when finally upgrading to UCS-4.x
If anyone stumbles over this (like me) while running join scripts and is stoping on RUNNING 92univention-management-console-web-server.inst with: GnuTLS: The signature algorithm is not supported. Es ist nicht möglich, eine SSL-Verbindung herzustellen. here a "workaround" solution till you defnitly need to renew all your certificates like described here: https://help.univention.com/t/renewing-the-ssl-certificates/37 First you should set ssl/default/hashfunction to sha256 as suggestet in inital post (otherwise Update to 4.3 will do this (Point 6.3) http://docs.software-univention.de/release-notes-4.3-0-en.html). Then: eval "$(ucr shell)" eval "$(ucr shell domainname)" cd /etc/univention/ssl verify in openssl.cnf that the algorithm is set to default_md = sha256 then run univention-certificate renew -name ucs-sso.${domainname} -days 365 to renew only the sso cert and then cp "/etc/univention/ssl/ucs-sso.${domainname}/cert.pem" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.crt" cp "/etc/univention/ssl/ucs-sso.${domainname}/private.key" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.key" service univention-saml restart finally univention-run-join-scripts should run through with no errors. This worked for me. If you have already Service Providers connected of course you need to renew them to, see cert renewal link above.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.