Bug 41230 - Servercertificate is revoked and new generated if a Memberserver is moved in the ldap directory
Servercertificate is revoked and new generated if a Memberserver is moved in ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-2-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-10 08:52 CEST by Christina Scheinig
Modified: 2016-09-29 21:43 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2016050921000325
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2016-05-10 08:52:21 CEST
A customer reported that moving a memberserver in the ldap directory revokes the existing servercertificate and generates a new one.
The old now invalid certificate is still located on the memberserver and used by the web server.

Ticket#2016050921000325

I could reproduce it in my testenvironment with a slave as well.


Extract from listener.log:

Revoke certificate: ucs-411-slave.sunshine.local
Using configuration from openssl.cnf
Revoking Certificate 07.
Data Base Updated
unable to write 'random state'
Using configuration from openssl.cnf
unable to write 'random state'
Creating certificate: ucs-411-slave.sunshine.local
no certificate for ucs-411-slave.sunshine.local registered
Generating RSA private key, 2048 bit long modulus
........................+++
........................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'DE'
localityName          :PRINTABLE:'DE'
organizationName      :PRINTABLE:'sunshine'
organizationalUnitName:PRINTABLE:'Univention Corporate Server'
commonName            :PRINTABLE:'ucs-411-slave.sunshine.local'
emailAddress          :IA5STRING:'ssl@sunshine.local'
Certificate is to be certified until Apr 21 20:36:24 2021 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated
Comment 1 Michael Grandjean univentionstaff 2016-05-10 08:59:17 CEST
In addition:
The revoking also updates the CRL. Any service checking the CRL will now refuse to connect to the memberserver who still uses the old (now revoked) certificate.

I guess this applies to all computer objects matching the filter in gencertificate.py:

> filter = '(|' + \
>                 '(objectClass=univentionDomainController)' + \
>                 '(objectClass=univentionClient)' + \
>                 '(objectClass=univentionMobileClient)' + \
>                 '(objectClass=univentionCorporateClient)' + \
>                 '(objectClass=univentionMemberServer))'
Comment 2 Stephan Hendl 2016-05-10 10:41:24 CEST
(In reply to Michael Grandjean from comment #1)

> The revoking also updates the CRL. Any service checking the CRL will now
> refuse to connect to the memberserver who still uses the old (now revoked)
> certificate.

Yes, e. g. IE 11 checks the CRL by default if there is a CRL distribution point  configured in the certificate. And we felt in that trap...
Comment 3 Philipp Hahn univentionstaff 2016-06-22 13:49:22 CEST
Currently no CRL-Distribution-Point is configured by default. Bug #34285

The bug is in univention-ssl/gencertificate.py which does not handle moves.
Comment 4 Philipp Hahn univentionstaff 2016-06-27 17:59:44 CEST
r70649 | Bug #41230 ssl: Handle moved computer LDAP entries
r70648 | Bug #41230 ssl: Move UID/GID loading code
r70647 | Bug #41230 ssl: Refactor common domain code
r70646 | Bug #41230 ssl: Check server role earliest
r70645 | Bug #41230 ssl: Fix switched debug output
r70644 | Bug #41230 SSL: autopep8

Package: univention-ssl
Version: 10.0.0-15.172.201606271746
Branch: ucs_4.1-0
Scope: errata4.1-2

 univention-ssl.yaml
Comment 5 Philipp Hahn univentionstaff 2016-06-27 18:48:14 CEST
r70657 | Bug #41230 test: Check moved host keeps SSL certificate
 ucs-test/tests/66_udm-computers/53_move_computer_ssl

Package: ucs-test
Version: 6.0.33-78.1492.201606271846
Branch: ucs_4.1-0
Scope: errata4.1-2
Comment 6 Janek Walkenhorst univentionstaff 2016-07-19 18:18:28 CEST
Tests: OK
Code review: OK
Advisory: OK, added missing bug number. r71101
Comment 7 Janek Walkenhorst univentionstaff 2016-07-21 15:16:15 CEST
<http://errata.software-univention.de/ucs/4.1/213.html>