Bug 46186 - Test case 82_saml.24_download_certificate.test fails on slaves and member servers in UCS 4.2-3
Test case 82_saml.24_download_certificate.test fails on slaves and member ser...
Status: RESOLVED FIXED
Product: UCS Test
Classification: Unclassified
Component: SAML
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Jürn Brodersen
:
Depends on: 44704
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-30 09:36 CET by Stefan Gohmann
Modified: 2018-02-06 16:08 CET (History)
6 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2018-01-30 09:36:11 CET
The test case 24_download_certificate fails in UCS 4.2-3 on member servers:

http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-3/job/AutotestJoin/SambaVersion=s3,Systemrolle=member/lastCompletedBuild/testReport/82_saml/24_download_certificate/test/

[2018-01-30 02:29:58.917435] ### FAIL ###
[2018-01-30 02:29:58.917512] The ucr key saml/idp/entityID is not set
[2018-01-30 02:29:58.917569] ###      ###



+++ This bug was initially created as a clone of Bug #44704 +++

Testsystem: 10.200.6.100

root@kopano:~# univention-app info
UCS: 4.2-0 errata10
App Center compatibility: 4
Installed: kopano-core=8.2.1.530-2 kopano-webapp=3.2.0.335-19.1-2 samba4=4.6 4.1/openproject=5.0.17
Upgradable: 

----------------------

Openproject is not reachable via "http://10.200.6.100/openproject/" and "https://10.200.6.100/openproject/" with

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /openproject/.

Reason: Error reading from remote server

-----------------------

Seems to happen in all SSO-ready apps (confirmed for owncloud, egroupware and openproject).

-----------------------
Apache.log

[Tue May 16 02:38:20.923822 2017] [authz_core:error] [pid 21498] [client 10.200.6.100:53880] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:45:20.796593 2017] [proxy_http:error] [pid 21501] (104)Connection reset by peer: [client 10.205.1.18:49748] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:20.797330 2017] [proxy:error] [pid 21501] [client 10.205.1.18:49748] AH00898: Error reading from remote server returned by /openproject/, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:49.480286 2017] [authz_core:error] [pid 21503] [client 10.200.6.100:54222] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:46:05.889107 2017] [mpm_prefork:notice] [pid 7635] AH00169: caught SIGTERM, shutting down
[Tue May 16 02:46:06.951126 2017] [suexec:notice] [pid 29057] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue May 16 02:46:08.017837 2017] [mpm_prefork:notice] [pid 29058] AH00163: Apache/2.4.10 (Univention) OpenSSL/1.0.2d configured -- resuming normal operations
[Tue May 16 02:46:08.017912 2017] [core:notice] [pid 29058] AH00094: Command line: '/usr/sbin/apache2'
[Tue May 16 02:47:10.031917 2017] [proxy_http:error] [pid 29063] (104)Connection reset by peer: [client 10.205.1.18:49828] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/portal/

join.log

RUNNING 50openproject.inst
2017-05-16 02:45:41.260640046+02:00 (in joinscript_init)
Object exists: cn=ldapschema,cn=univention,dc=hel,dc=kopano
INFO: No change of core data of object openproject.
No modification: cn=openproject,cn=ldapschema,cn=univention,dc=hel,dc=kopano

Waiting for activation of the extension object openproject: OK
Object exists: cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Object exists: cn=openproject-isadmin,cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Setting saml/idp/ldap/get_attributes
Multifile: /etc/simplesamlphp/authsources.php
Module: kopano-cfg
Object exists: SAMLServiceProviderIdentifier=openproject,cn=saml-serviceprovider,cn=univention,dc=hel,dc=kopano
Setting ucs/web/overview/entries/service/SP/description
Setting ucs/web/overview/entries/service/SP/label
Setting ucs/web/overview/entries/service/SP/link
Setting ucs/web/overview/entries/service/SP/priority
Module: kopano-cfg
Module: create_portal_entries
--2017-05-16 02:45:49--  https://ucs-sso.hel.kopano/simplesamlphp/saml2/idp/certificate
Auflösen des Hostnamen »ucs-sso.hel.kopano (ucs-sso.hel.kopano)«... 10.200.6.100
Verbindungsaufbau zu ucs-sso.hel.kopano (ucs-sso.hel.kopano)|10.200.6.100|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2017-05-16 02:45:49 FEHLER 403: Forbidden.

unable to load certificate
140528867223184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
EXITCODE=1
Comment 1 Jürn Brodersen univentionstaff 2018-02-06 16:08:30 CET
If ucs-sso is reachable is already tested in other tests. -> Only run this test on master and backup.

4.2-3
35991d8b: fix 82_saml/24_download_certificate
4.3-0
39b5879d: fix 82_saml/24_download_certificate