Univention Bugzilla – Bug 44322
Domain CAcert not in system certificate store: Joinscript fails on member with SSL certificate problem
Last modified: 2017-05-17 15:18:28 CEST
Reported by potential focus customer and reproduced internally. Tried to install Nextcloud on member server. Symptom: Pending join script (50nextcloud). Even after running univention-run-join-scripts the join script doesn't run successfully. /var/log/univention/join.log: During Join: Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. .... During Installation of Nextcloud: ++ curl -X POST -H 'OCS-APIREQUEST: true' -u 'nc_admin:iu(g3Que=ra7dae-kailee4uGh-esh' https://nextcloud.schulen.XY.univentiontest/nextcloud/ocs/v2.php/apps/user_ldap/api/v1/config % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. + RESULT= ++ grep '<statuscode>200</statuscode>' -c ++ echo + STATUS=0 + '[' '!' 0 -eq 1 ']' + die 'Could not create LDAP Config at Nextcloud' + exit 0 EXITCODE=0 All works after running: root@nextcloud:~# update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs... 174 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. To me this are two failures: 1. The join scripts returns EXITCODE=0 even after it fails. 2. The univention-join doesn't run "update-ca-certificates" properly.
We have to backport r77645 and r77646 (maybe more?) from Bug 43811 to UCS 4.1
Accidently commited with wrong bug number: univention-join (8.0.4-9): r78861 | Bug #43811: make sure SSL certificate cache is rewritten univention-ssl (10.0.0-24): r78862 | Bug #43811: make sure SSL certificate cache is rewritten univention-ssl.yaml: r78863 | YAML Bug #44322 univention-join.yaml: r78863 | YAML Bug #44322
univention-ssl (10.0.0-25): r79297 | Bug #43811: update certificates on update to fix running systems
OK - re-join OK - update OK - univention-ssl.yaml OK - univention-join.yaml
<http://errata.software-univention.de/ucs/4.1/419.html> <http://errata.software-univention.de/ucs/4.1/420.html>