Univention Bugzilla – Bug 43811
certificate cache is not reloaded when updating certificates
Last modified: 2017-04-04 18:29:48 CEST
Currently it's not possible to install UCS@school from test app center on a DC slave via UMC. The installer fails with the following message:
10.03.17 17:07:35.122 MODULE ( PROCESS ) : Konnte nicht mit dem DC Master master103.nstx.local verbinden: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
This seems to be a generic problem in UCS. The self-service is also affected.
Isn't the UCS-CA part of the global system certificates anymore?
I saw the same problems in our docker tests. Bug #43757:
(In reply to Stefan Gohmann from comment #3)
> With the changes from Bug #43813, it looks much better. But I see still the
> following error:
> Cleanup after exception: <class 'univention.lib.umc.ConnectionError'>
> ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed (_ssl.c:581)'))
> It works if I add the cafile parameter to urllib2.urlopen.
> * 80_docker/dockertest.py: Add cafile to urllib2.urlopen (Bug #43757)
This issue seems to be reproducible via 80_docker/40_app_umc_install_latest_appbox
Traceback (most recent call last):
File "40_app_umc_install_latest_appbox", line 40, in <module>
File "/usr/share/ucs-test/80_docker/dockertest.py", line 257, in install_via_umc
client = umc.Client.get_test_connection()
File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 53, in get_test_connection
return cls(hostname, username, password, *args, **kwargs)
File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 222, in __init__
File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 230, in authenticate
return self.umc_auth(username, password)
File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 266, in umc_auth
return self.request('POST', 'auth', data)
File "/usr/lib/pymodules/python2.7/univention/testing/umc.py", line 70, in request
response = super(Client, self).request(method, path, data, headers)
File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 274, in request
File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 288, in send
raise ConnectionError('Could not send request.', reason=exc)
univention.lib.umc.ConnectionError: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
It seems to be a change in Python 2.7.9:
PEP 476: verify HTTPS certificates by default
Something like this:
root@master421:~# diff -Nur /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig /usr/lib/pymodules/python2.7/univention/lib/umc.py
--- /usr/lib/pymodules/python2.7/univention/lib/umc.py.orig 2017-03-11 08:29:08.120000000 +0100
+++ /usr/lib/pymodules/python2.7/univention/lib/umc.py 2017-03-11 08:29:11.940000000 +0100
@@ -318,6 +318,7 @@
'''Creates a new connection to the host'''
# once keep-alive is over, the socket closes
# so create a new connection on every request
+ ssl._create_default_https_context = ssl._create_unverified_context
return self.ConnectionType(self.hostname, timeout=self._timeout)
def __build_data(self, data, flavor=None):
No, we want to verify the connection! So why is the certificate wrong? Since Bug #39179 this should not be the case anymore.
(In reply to Florian Best from comment #4)
> No, we want to verify the connection! So why is the certificate wrong? Since
> Bug #39179 this should not be the case anymore.
At least in the docker modproxy context (Bug #43813) we are unable to verify it because we are using the IP address.
Bug #39179 has been released as 4.1-4 erratum. So, did it work with previous UCS versions? Did we implement it by our own? What did we change?
At least if I check the strace output, I don't see any ca cert load. So, maybe it has to be implemented in the UMC part?
My simple test code is:
from univention.testing import umc
client = umc.Client.get_test_connection()
It looks like httplib is used. Do you load the default CA via ssl.create_default_context()? See https://docs.python.org/2/library/httplib.html.
The cause was a missing c_rehash. Normally update-ca-certificates executes c_rehash if certificates changed but since our own certificates are only symlinks which were replaced this didn't work:
/etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
/usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem
I added --fresh to update-ca-certificates in all our calls.
r77645 | Bug #43811: make sure SSL certificate cache is rewritten
r77646 | Bug #43811: make sure SSL certificate cache is rewritten
OK, it looks good and it works now.
I've added a changelog entry: r77935
UCS 4.2 has been released:
If this error occurs again, please use "Clone This Bug".