Univention Bugzilla – Bug 40228
Add diagnostic test for SSL certificates
Last modified: 2017-11-10 17:07:14 CET
A test which checks if the correct and up to date SSL certificates are installed on all the hosts in the domain would be helpful. This test could also check if the SAML certificates are the same on every DC backup. If the test isn't executed on the DC master it should only validate its own certificate by downloading the ucs-root-CA certificate and validate it's own against this version. Maybe more simple would be to try a SSL connection to the master. If the test is executed on the DC master it should execute the test on every UCS-host it is able to reach. If the test fails a link to http://sdb.univention.de/1000 can be shown.
Created attachment 8931 [details] 40228-diagnostic-certificate-check-420.patch The new attached `certificate_ckeck.py` checks SSL certificates. If this check runs on a DC master/backup, the local root-CA/CRL files are used. Otherwise the root certificate and CRL file are downloaded from the DC master. This checks the certificates in 'apache2/ssl/certificate', 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file exists). If a certificate is not yet valid or expired a Critical error is shown. If a certificate expires within the next 50 days (see bug 35862 comment 0) a Warning is shown. As the old version of `python-openssl` (0.14) does not yet support validation against CRLs, `openssl verify` is used. If `openssl verify` finds any error, a Critical error is shown. This does not trigger any checks on other servers in the domain, as that would require major changes within this diagnostic module.
*** Bug 35862 has been marked as a duplicate of this bug. ***
Committed in r81624 - r81625 (advisory r81649).
I added a test case which runs every diagnostic check in our Jenkins environment on all server roles. ucs-test (7.0.23-19): r81667 | Bug #40228: add test case which runs every diagnostic check
(In reply to Florian Best from comment #4) > I added a test case which runs every diagnostic check in our Jenkins > environment on all server roles. > > ucs-test (7.0.23-19): > r81667 | Bug #40228: add test case which runs every diagnostic check Can we have that snippet as the `main()` in /management/univention-management-console-module-diagnostic/umc/python/diagnostic/__init__.py instead of the dummy so we can actually run the modules from the command line? This would be a preliminary implementation, but better than what is currently available.
(In reply to Lukas Oyen from comment #1) > This checks the certificates in 'apache2/ssl/certificate', > 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any > certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file > exists). Are they all verified against the DC Master certificate? We have customer environments which are replacing 'apache2/ssl/certificate', 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some certificate signed by official CA's. These must pass the tests, too!
(In reply to Florian Best from comment #6) > Are they all verified against the DC Master certificate? Yes, explicitly passed as `-CAfile`. > We have customer environments which are replacing 'apache2/ssl/certificate', > 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some > certificate signed by official CA's. These must pass the tests, too! Fixed in r81920.
If a certificate is broken the following traceback is shown: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute result = execute(umc_module, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 265, in run File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 239, in verify_local def verify_local(all_certificates): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 184, in verify File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 154, in _verify_timestamps cert = crypto.load_certificate(crypto.FILETYPE_PEM, fob.read()) File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 1219, in load_certificate _raise_current_error() File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue raise exceptionType(errors) Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
(In reply to Florian Best from comment #8) > If a certificate is broken the following traceback is shown: Fixed in r81976.
Okay, looks good.
<http://errata.software-univention.de/ucs/4.2/166.html>