Bug 43811 - certificate cache is not reloaded when updating certificates
certificate cache is not reloaded when updating certificates
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.2
Other Linux
: P5 critical (vote)
: UCS 4.2
Assigned To: Florian Best
Stefan Gohmann
: interim-3
Depends on:
Blocks: 43565 44221
  Show dependency treegraph
 
Reported: 2017-03-10 17:11 CET by Sönke Schwardt-Krummrich
Modified: 2017-04-04 18:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.686
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-03-10 17:11:42 CET
Currently it's not possible to install UCS@school from test app center on a DC slave via UMC. The installer fails with the following message:

10.03.17 17:07:35.122  MODULE      ( PROCESS ) : Konnte nicht mit dem DC Master master103.nstx.local verbinden: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
Comment 1 Florian Best univentionstaff 2017-03-10 17:14:21 CET
This seems to be a generic problem in UCS. The self-service is also affected.
Isn't the UCS-CA part of the global system certificates anymore?
Comment 2 Stefan Gohmann univentionstaff 2017-03-11 19:28:11 CET
I saw the same problems in our docker tests. Bug #43757:

(In reply to Stefan Gohmann from comment #3)
> With the changes from Bug #43813, it looks much better. But I see still the
> following error:
> 
>  Cleanup after exception: <class 'univention.lib.umc.ConnectionError'>
> ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed (_ssl.c:581)'))
> 
> It works if I add the cafile parameter to urllib2.urlopen.
> 
> r77609:
> * 80_docker/dockertest.py: Add cafile to urllib2.urlopen (Bug #43757)


This issue seems to be reproducible via 80_docker/40_app_umc_install_latest_appbox

Traceback (most recent call last):
  File "40_app_umc_install_latest_appbox", line 40, in <module>
    app.install_via_umc()
  File "/usr/share/ucs-test/80_docker/dockertest.py", line 257, in install_via_umc
    client = umc.Client.get_test_connection()
  File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 53, in get_test_connection
    return cls(hostname, username, password, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 222, in __init__
    self.authenticate(username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 230, in authenticate
    return self.umc_auth(username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 266, in umc_auth
    return self.request('POST', 'auth', data)
  File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 70, in request
    response = super(Client, self).request(method, path, data, headers)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 274, in request
    return self.send(request)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 288, in send
    raise ConnectionError('Could not send request.', reason=exc)
univention.lib.umc.ConnectionError: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
Comment 3 Stefan Gohmann univentionstaff 2017-03-11 19:37:45 CET
It seems to be a change in Python 2.7.9:
 https://bugs.python.org/issue22417
 PEP 476: verify HTTPS certificates by default

Something like this:

root@master421:~# diff -Nur /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig /usr/lib/pymodules/python2.7/univention/lib/umc.py
--- /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig     2017-03-11 08:29:08.120000000 +0100
+++ /usr/lib/pymodules/python2.7/univention/lib/umc.py  2017-03-11 08:29:11.940000000 +0100
@@ -318,6 +318,7 @@
                '''Creates a new connection to the host'''
                # once keep-alive is over, the socket closes
                #   so create a new connection on every request
+               ssl._create_default_https_context = ssl._create_unverified_context
                return self.ConnectionType(self.hostname, timeout=self._timeout)
 
        def __build_data(self, data, flavor=None):
root@master421:~#
Comment 4 Florian Best univentionstaff 2017-03-12 01:06:56 CET
No, we want to verify the connection! So why is the certificate wrong? Since Bug #39179 this should not be the case anymore.
Comment 5 Stefan Gohmann univentionstaff 2017-03-12 09:51:26 CET
(In reply to Florian Best from comment #4)
> No, we want to verify the connection! So why is the certificate wrong? Since
> Bug #39179 this should not be the case anymore.

At least in the docker modproxy context (Bug #43813) we are unable to verify it because we are using the IP address.

Bug #39179 has been released as 4.1-4 erratum. So, did it work with previous UCS versions? Did we implement it by our own? What did we change?
Comment 6 Stefan Gohmann univentionstaff 2017-03-12 10:32:39 CET
At least if I check the strace output, I don't see any ca cert load. So, maybe it has to be implemented in the UMC part?

My simple test code is:

from univention.testing import umc
client = umc.Client.get_test_connection()
client.umc_get('session-info')

It looks like httplib is used. Do you load the default CA via ssl.create_default_context()? See https://docs.python.org/2/library/httplib.html.
Comment 7 Florian Best univentionstaff 2017-03-13 15:35:10 CET
The cause was a missing c_rehash. Normally update-ca-certificates executes c_rehash if certificates changed but since our own certificates are only symlinks which were replaced this didn't work:
/etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
/usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

I added --fresh to update-ca-certificates in all our calls.

univention-join (9.0.3-1):
r77645 | Bug #43811: make sure SSL certificate cache is rewritten

univention-ssl (11.0.1-1):
r77646 | Bug #43811: make sure SSL certificate cache is rewritten
Comment 8 Stefan Gohmann univentionstaff 2017-03-18 20:46:13 CET
OK, it looks good and it works now.

I've added a changelog entry: r77935
Comment 9 Stefan Gohmann univentionstaff 2017-04-04 18:29:48 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".