Bug 44704 - SAML IdP certificate not accessible on UCS 4.2
SAML IdP certificate not accessible on UCS 4.2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Florian Best
Jürn Brodersen
:
Depends on:
Blocks: 47047 45515 46186
  Show dependency treegraph
 
Reported: 2017-05-29 13:52 CEST by Jens Thorp-Hansen
Modified: 2018-05-23 13:22 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017052921000376
Bug group (optional):
Max CVSS v3 score:


Attachments
Saml apache config template adjustments (888 bytes, patch)
2017-07-14 13:01 CEST, Eduard Mai
Details | Diff
24_download_certificate (1.65 KB, text/plain)
2017-07-14 15:19 CEST, Jürn Brodersen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2017-05-29 13:52:54 CEST
Testsystem: 10.200.6.100

root@kopano:~# univention-app info
UCS: 4.2-0 errata10
App Center compatibility: 4
Installed: kopano-core=8.2.1.530-2 kopano-webapp=3.2.0.335-19.1-2 samba4=4.6 4.1/openproject=5.0.17
Upgradable: 

----------------------

Openproject is not reachable via "http://10.200.6.100/openproject/" and "https://10.200.6.100/openproject/" with

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /openproject/.

Reason: Error reading from remote server

-----------------------

Seems to happen in all SSO-ready apps (confirmed for owncloud, egroupware and openproject).

-----------------------
Apache.log

[Tue May 16 02:38:20.923822 2017] [authz_core:error] [pid 21498] [client 10.200.6.100:53880] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:45:20.796593 2017] [proxy_http:error] [pid 21501] (104)Connection reset by peer: [client 10.205.1.18:49748] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:20.797330 2017] [proxy:error] [pid 21501] [client 10.205.1.18:49748] AH00898: Error reading from remote server returned by /openproject/, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:49.480286 2017] [authz_core:error] [pid 21503] [client 10.200.6.100:54222] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:46:05.889107 2017] [mpm_prefork:notice] [pid 7635] AH00169: caught SIGTERM, shutting down
[Tue May 16 02:46:06.951126 2017] [suexec:notice] [pid 29057] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue May 16 02:46:08.017837 2017] [mpm_prefork:notice] [pid 29058] AH00163: Apache/2.4.10 (Univention) OpenSSL/1.0.2d configured -- resuming normal operations
[Tue May 16 02:46:08.017912 2017] [core:notice] [pid 29058] AH00094: Command line: '/usr/sbin/apache2'
[Tue May 16 02:47:10.031917 2017] [proxy_http:error] [pid 29063] (104)Connection reset by peer: [client 10.205.1.18:49828] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/portal/

join.log

RUNNING 50openproject.inst
2017-05-16 02:45:41.260640046+02:00 (in joinscript_init)
Object exists: cn=ldapschema,cn=univention,dc=hel,dc=kopano
INFO: No change of core data of object openproject.
No modification: cn=openproject,cn=ldapschema,cn=univention,dc=hel,dc=kopano

Waiting for activation of the extension object openproject: OK
Object exists: cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Object exists: cn=openproject-isadmin,cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Setting saml/idp/ldap/get_attributes
Multifile: /etc/simplesamlphp/authsources.php
Module: kopano-cfg
Object exists: SAMLServiceProviderIdentifier=openproject,cn=saml-serviceprovider,cn=univention,dc=hel,dc=kopano
Setting ucs/web/overview/entries/service/SP/description
Setting ucs/web/overview/entries/service/SP/label
Setting ucs/web/overview/entries/service/SP/link
Setting ucs/web/overview/entries/service/SP/priority
Module: kopano-cfg
Module: create_portal_entries
--2017-05-16 02:45:49--  https://ucs-sso.hel.kopano/simplesamlphp/saml2/idp/certificate
Auflösen des Hostnamen »ucs-sso.hel.kopano (ucs-sso.hel.kopano)«... 10.200.6.100
Verbindungsaufbau zu ucs-sso.hel.kopano (ucs-sso.hel.kopano)|10.200.6.100|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2017-05-16 02:45:49 FEHLER 403: Forbidden.

unable to load certificate
140528867223184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
EXITCODE=1
Comment 1 Stefan Gohmann univentionstaff 2017-06-28 06:51:16 CEST
Mark all bugs with a user pain > 0.3 as errata bugs.
Comment 2 Eduard Mai univentionstaff 2017-07-14 13:01:03 CEST
Created attachment 9029 [details]
Saml apache config template adjustments

The current apache2 config doesn't allow filesystem access to the idp certificate in its default location. Do we adjust the template or the default location fot the certificate?
I attached a proposal for the configuration template in univention-saml.
Comment 3 Florian Best univentionstaff 2017-07-14 13:14:16 CEST
Why doesn't it allow anymore? I think it was possible in UCS 4.1.
Comment 4 Eduard Mai univentionstaff 2017-07-14 13:59:32 CEST
(In reply to Florian Best from comment #3)
> Why doesn't it allow anymore? I think it was possible in UCS 4.1.

I didn't investigate the specific cause. My best guess is the change in basic directives between apache 2.4 and 2.2. For example Order and Allow vs. Require all granted.
Comment 5 Eduard Mai univentionstaff 2017-07-14 14:53:10 CEST
OK, the attached patch fixes the problem for me. I tried with openproject=5.0.17. Moving this issue to SAML.
Comment 6 Jürn Brodersen univentionstaff 2017-07-14 15:19:50 CEST
Created attachment 9032 [details]
24_download_certificate
Comment 7 Jürn Brodersen univentionstaff 2017-07-14 15:26:18 CEST
Comment on attachment 9032 [details]
24_download_certificate

Test for ucs-test/82_saml
Comment 8 Florian Best univentionstaff 2017-07-17 16:20:58 CEST
@Jürn: Please commit the ucs-test with the SKIP tag.
Comment 9 Jürn Brodersen univentionstaff 2017-07-20 16:41:46 CEST
r81298: test download of saml idp certificate

The test has the skip tag set for now
Comment 10 Florian Best univentionstaff 2017-11-28 18:01:07 CET
A slightly modified patch has been commited.

univention-saml (4.0.14-11)
c895e12c910a | Bug #44704-saml-certificate' into 4.2-3
1591bb4c3c3c | Bug #44704: fix certificate access permissions

ucs-test (7.0.23-3)
r81298 | Bug #44704: test download of saml idp certificate

univention-saml.yaml
c895e12c910a | Bug #44704-saml-certificate' into 4.2-3
b8f07173e39d | YAML Bug #44704
Comment 11 Jürn Brodersen univentionstaff 2017-12-04 15:37:49 CET
Looks good.

What I tested:

"ucs-test -s saml -E dangerous" -> OK
"curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/certificate" -> OK
"curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/" -> Forbidden -> OK

YAML -> OK

-> Verified
Comment 12 Arvid Requate univentionstaff 2017-12-06 15:40:17 CET
<http://errata.software-univention.de/ucs/4.2/236.html>