Bug 44322 - Domain CAcert not in system certificate store: Joinscript fails on member with SSL certificate problem
Domain CAcert not in system certificate store: Joinscript fails on member wit...
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Florian Best
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2017-04-07 14:52 CEST by Michel Smidt
Modified: 2017-05-17 15:18 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): Workaround is available
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt univentionstaff 2017-04-07 14:52:51 CEST
Reported by potential focus customer and reproduced internally.

Tried to install Nextcloud on member server.
Symptom: Pending join script (50nextcloud).
Even after running univention-run-join-scripts the join script doesn't run successfully.

During Join:
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
During Installation of Nextcloud:
++ curl -X POST -H 'OCS-APIREQUEST: true' -u 'nc_admin:iu(g3Que=ra7dae-kailee4uGh-esh' https://nextcloud.schulen.XY.univentiontest/nextcloud/ocs/v2.php/apps/user_ldap/api/v1/config
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
++ grep '<statuscode>200</statuscode>' -c
++ echo
+ '[' '!' 0 -eq 1 ']'
+ die 'Could not create LDAP Config at Nextcloud'
+ exit 0

All works after running:
root@nextcloud:~# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... 174 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

To me this are two failures:
1. The join scripts returns EXITCODE=0 even after it fails.
2. The univention-join doesn't run "update-ca-certificates" properly.
Comment 1 Erik Damrose univentionstaff 2017-04-07 15:06:53 CEST
We have to backport r77645 and r77646 (maybe more?) from Bug 43811 to  UCS 4.1
Comment 2 Florian Best univentionstaff 2017-04-21 14:06:04 CEST
Accidently commited with wrong bug number:

univention-join (8.0.4-9):
r78861 | Bug #43811: make sure SSL certificate cache is rewritten

univention-ssl (10.0.0-24):
r78862 | Bug #43811: make sure SSL certificate cache is rewritten

r78863 | YAML Bug #44322

r78863 | YAML Bug #44322
Comment 3 Florian Best univentionstaff 2017-05-11 14:57:39 CEST
univention-ssl (10.0.0-25):
r79297 | Bug #43811: update certificates on update to fix running systems
Comment 4 Felix Botner univentionstaff 2017-05-11 15:15:16 CEST
OK - re-join
OK - update

OK - univention-ssl.yaml
OK - univention-join.yaml