Bug 40228 - Add diagnostic test for SSL certificates
Add diagnostic test for SSL certificates
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Florian Best
:
: 35862 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-11 15:54 CET by Florian Best
Modified: 2017-11-10 17:07 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional): Troubleshooting
Max CVSS v3 score:
best: Patch_Available+


Attachments
40228-diagnostic-certificate-check-420.patch (14.33 KB, patch)
2017-06-19 18:04 CEST, Lukas Oyen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-12-11 15:54:28 CET
A test which checks if the correct and up to date SSL certificates are installed on all the hosts in the domain would be helpful.

This test could also check if the SAML certificates are the same on every DC backup.

If the test isn't executed on the DC master it should only validate its own certificate by downloading the ucs-root-CA certificate and validate it's own against this version. Maybe more simple would be to try a SSL connection to the master.

If the test is executed on the DC master it should execute the test on every UCS-host it is able to reach.

If the test fails a link to http://sdb.univention.de/1000 can be shown.
Comment 1 Lukas Oyen univentionstaff 2017-06-19 18:04:47 CEST
Created attachment 8931 [details]
40228-diagnostic-certificate-check-420.patch

The new attached `certificate_ckeck.py` checks SSL certificates.

If this check runs on a DC master/backup, the local root-CA/CRL files are used.
Otherwise the root certificate and CRL file are downloaded from the DC master.

This checks the certificates in 'apache2/ssl/certificate',
'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any
certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file
exists).

If a certificate is not yet valid or expired a Critical error is shown. If a
certificate expires within the next 50 days (see bug 35862 comment 0) a Warning
is shown.

As the old version of `python-openssl` (0.14) does not yet support validation
against CRLs, `openssl verify` is used. If `openssl verify` finds any error, a
Critical error is shown.

This does not trigger any checks on other servers in the domain, as that would
require major changes within this diagnostic module.
Comment 2 Lukas Oyen univentionstaff 2017-06-19 18:05:06 CEST
*** Bug 35862 has been marked as a duplicate of this bug. ***
Comment 3 Lukas Oyen univentionstaff 2017-08-01 16:31:46 CEST
Committed in r81624 - r81625 (advisory r81649).
Comment 4 Florian Best univentionstaff 2017-08-01 19:17:33 CEST
I added a test case which runs every diagnostic check in our Jenkins environment on all server roles.

ucs-test (7.0.23-19):
r81667 | Bug #40228: add test case which runs every diagnostic check
Comment 5 Lukas Oyen univentionstaff 2017-08-02 14:34:01 CEST
(In reply to Florian Best from comment #4)
> I added a test case which runs every diagnostic check in our Jenkins
> environment on all server roles.
> 
> ucs-test (7.0.23-19):
> r81667 | Bug #40228: add test case which runs every diagnostic check

Can we have that snippet as the `main()` in /management/univention-management-console-module-diagnostic/umc/python/diagnostic/__init__.py instead of the dummy so we can actually run the modules from the command line?

This would be a preliminary implementation, but better than what is currently available.
Comment 6 Florian Best univentionstaff 2017-08-08 18:33:17 CEST
(In reply to Lukas Oyen from comment #1)
> This checks the certificates in 'apache2/ssl/certificate',
> 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any
> certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file
> exists).
Are they all verified against the DC Master certificate?

We have customer environments which are replacing 'apache2/ssl/certificate', 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some certificate signed by official CA's. These must pass the tests, too!
Comment 7 Lukas Oyen univentionstaff 2017-08-09 10:46:24 CEST
(In reply to Florian Best from comment #6)
> Are they all verified against the DC Master certificate?

Yes, explicitly passed as `-CAfile`.

> We have customer environments which are replacing 'apache2/ssl/certificate',
> 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some
> certificate signed by official CA's. These must pass the tests, too!

Fixed in r81920.
Comment 8 Florian Best univentionstaff 2017-08-09 13:15:20 CEST
If a certificate is broken the following traceback is shown:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 265, in run
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 239, in verify_local
    def verify_local(all_certificates):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 184, in verify
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 154, in _verify_timestamps
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, fob.read())
  File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 1219, in load_certificate
    _raise_current_error()
  File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
Comment 9 Lukas Oyen univentionstaff 2017-08-10 11:55:37 CEST
(In reply to Florian Best from comment #8)
> If a certificate is broken the following traceback is shown:

Fixed in r81976.
Comment 10 Florian Best univentionstaff 2017-09-04 15:44:30 CEST
Okay, looks good.
Comment 11 Erik Damrose univentionstaff 2017-09-20 15:03:47 CEST
<http://errata.software-univention.de/ucs/4.2/166.html>