Univention Bugzilla – Bug 43811
certificate cache is not reloaded when updating certificates
Last modified: 2017-04-04 18:29:48 CEST
Currently it's not possible to install UCS@school from test app center on a DC slave via UMC. The installer fails with the following message: 10.03.17 17:07:35.122 MODULE ( PROCESS ) : Konnte nicht mit dem DC Master master103.nstx.local verbinden: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
This seems to be a generic problem in UCS. The self-service is also affected. Isn't the UCS-CA part of the global system certificates anymore?
I saw the same problems in our docker tests. Bug #43757: (In reply to Stefan Gohmann from comment #3) > With the changes from Bug #43813, it looks much better. But I see still the > following error: > > Cleanup after exception: <class 'univention.lib.umc.ConnectionError'> > ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed (_ssl.c:581)')) > > It works if I add the cafile parameter to urllib2.urlopen. > > r77609: > * 80_docker/dockertest.py: Add cafile to urllib2.urlopen (Bug #43757) This issue seems to be reproducible via 80_docker/40_app_umc_install_latest_appbox Traceback (most recent call last): File "40_app_umc_install_latest_appbox", line 40, in <module> app.install_via_umc() File "/usr/share/ucs-test/80_docker/dockertest.py", line 257, in install_via_umc client = umc.Client.get_test_connection() File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 53, in get_test_connection return cls(hostname, username, password, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 222, in __init__ self.authenticate(username, password) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 230, in authenticate return self.umc_auth(username, password) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 266, in umc_auth return self.request('POST', 'auth', data) File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 70, in request response = super(Client, self).request(method, path, data, headers) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 274, in request return self.send(request) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 288, in send raise ConnectionError('Could not send request.', reason=exc) univention.lib.umc.ConnectionError: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
It seems to be a change in Python 2.7.9: https://bugs.python.org/issue22417 PEP 476: verify HTTPS certificates by default Something like this: root@master421:~# diff -Nur /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig /usr/lib/pymodules/python2.7/univention/lib/umc.py --- /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig 2017-03-11 08:29:08.120000000 +0100 +++ /usr/lib/pymodules/python2.7/univention/lib/umc.py 2017-03-11 08:29:11.940000000 +0100 @@ -318,6 +318,7 @@ '''Creates a new connection to the host''' # once keep-alive is over, the socket closes # so create a new connection on every request + ssl._create_default_https_context = ssl._create_unverified_context return self.ConnectionType(self.hostname, timeout=self._timeout) def __build_data(self, data, flavor=None): root@master421:~#
No, we want to verify the connection! So why is the certificate wrong? Since Bug #39179 this should not be the case anymore.
(In reply to Florian Best from comment #4) > No, we want to verify the connection! So why is the certificate wrong? Since > Bug #39179 this should not be the case anymore. At least in the docker modproxy context (Bug #43813) we are unable to verify it because we are using the IP address. Bug #39179 has been released as 4.1-4 erratum. So, did it work with previous UCS versions? Did we implement it by our own? What did we change?
At least if I check the strace output, I don't see any ca cert load. So, maybe it has to be implemented in the UMC part? My simple test code is: from univention.testing import umc client = umc.Client.get_test_connection() client.umc_get('session-info') It looks like httplib is used. Do you load the default CA via ssl.create_default_context()? See https://docs.python.org/2/library/httplib.html.
The cause was a missing c_rehash. Normally update-ca-certificates executes c_rehash if certificates changed but since our own certificates are only symlinks which were replaced this didn't work: /etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem I added --fresh to update-ca-certificates in all our calls. univention-join (9.0.3-1): r77645 | Bug #43811: make sure SSL certificate cache is rewritten univention-ssl (11.0.1-1): r77646 | Bug #43811: make sure SSL certificate cache is rewritten
OK, it looks good and it works now. I've added a changelog entry: r77935
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".