Univention Bugzilla – Bug 41230
Servercertificate is revoked and new generated if a Memberserver is moved in the ldap directory
Last modified: 2016-09-29 21:43:25 CEST
A customer reported that moving a memberserver in the ldap directory revokes the existing servercertificate and generates a new one. The old now invalid certificate is still located on the memberserver and used by the web server. Ticket#2016050921000325 I could reproduce it in my testenvironment with a slave as well. Extract from listener.log: Revoke certificate: ucs-411-slave.sunshine.local Using configuration from openssl.cnf Revoking Certificate 07. Data Base Updated unable to write 'random state' Using configuration from openssl.cnf unable to write 'random state' Creating certificate: ucs-411-slave.sunshine.local no certificate for ucs-411-slave.sunshine.local registered Generating RSA private key, 2048 bit long modulus ........................+++ ........................................+++ unable to write 'random state' e is 65537 (0x10001) Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'DE' localityName :PRINTABLE:'DE' organizationName :PRINTABLE:'sunshine' organizationalUnitName:PRINTABLE:'Univention Corporate Server' commonName :PRINTABLE:'ucs-411-slave.sunshine.local' emailAddress :IA5STRING:'ssl@sunshine.local' Certificate is to be certified until Apr 21 20:36:24 2021 GMT (1825 days) Write out database with 1 new entries Data Base Updated
In addition: The revoking also updates the CRL. Any service checking the CRL will now refuse to connect to the memberserver who still uses the old (now revoked) certificate. I guess this applies to all computer objects matching the filter in gencertificate.py: > filter = '(|' + \ > '(objectClass=univentionDomainController)' + \ > '(objectClass=univentionClient)' + \ > '(objectClass=univentionMobileClient)' + \ > '(objectClass=univentionCorporateClient)' + \ > '(objectClass=univentionMemberServer))'
(In reply to Michael Grandjean from comment #1) > The revoking also updates the CRL. Any service checking the CRL will now > refuse to connect to the memberserver who still uses the old (now revoked) > certificate. Yes, e. g. IE 11 checks the CRL by default if there is a CRL distribution point configured in the certificate. And we felt in that trap...
Currently no CRL-Distribution-Point is configured by default. Bug #34285 The bug is in univention-ssl/gencertificate.py which does not handle moves.
r70649 | Bug #41230 ssl: Handle moved computer LDAP entries r70648 | Bug #41230 ssl: Move UID/GID loading code r70647 | Bug #41230 ssl: Refactor common domain code r70646 | Bug #41230 ssl: Check server role earliest r70645 | Bug #41230 ssl: Fix switched debug output r70644 | Bug #41230 SSL: autopep8 Package: univention-ssl Version: 10.0.0-15.172.201606271746 Branch: ucs_4.1-0 Scope: errata4.1-2 univention-ssl.yaml
r70657 | Bug #41230 test: Check moved host keeps SSL certificate ucs-test/tests/66_udm-computers/53_move_computer_ssl Package: ucs-test Version: 6.0.33-78.1492.201606271846 Branch: ucs_4.1-0 Scope: errata4.1-2
Tests: OK Code review: OK Advisory: OK, added missing bug number. r71101
<http://errata.software-univention.de/ucs/4.1/213.html>