Univention Bugzilla – Bug 46360
certificate verification blocks exam-cleanup-script
Last modified: 2018-04-06 22:09:03 CEST
A customer reported that since july '17 only the following error message is logged in the
04.02.18 23:30:05.406 MAIN ( ERROR ) : Could not connect to UMC on dc417: ('Could not send request.', CertificateError("hostname 'dc417' doesn't match u'dc417.school.example.de'",))
The Cleanup-Skript is executed via cron on the master and every school slave. The error occurs on each server. In line 80 of /usr/share/ucs-school-exam/exam-and-room-cleanup („client = Client(self.hostname)“) only the hostname is used for the connection to the UMC which causes the Problem, because the ssl certificate is issued to the fqdn.
This seems to be a regression
Raising this bugs priority, as this effectively disables the cleanup script.
The cleanup script can be essential for daily work, as left-overs from prior exams can completely block work in computer rooms.
@Jürn: please prioritize this bugs QA over any other school related bug, as it's now in the school-priority-list.
The usage of just the hostname has worked since the beginning of the script in Oct'2016 (see Bug #40213). It is more likely that the customer has changed its DNS settings. Probably /etc/resolv.conf is missing the "search school.example.de" line.
Anyway - using the FQDN is correct, and thus this has been fixed here.
BTW: there is more code that uses only the hostname to connect to the local UMC server.
[4.2 5cfcdd7f] Bug #46360: use FQDN to connect to UMC server
[4.2 e3143968] Bug #46360: handle non-existing directories
[4.2 87462d20] Bug #46360: changelog
[4.3 04e9aada] Bug #46360: use FQDN to connect to UMC server
[4.3 51c3a414] Bug #46360: handle non-existing directories
[4.3 8de1ba54] Bug #46360: changelog
[4.2 39e5aa28] Bug #46360: advisory
What I tested:
"/usr/share/ucs-school-exam/exam-and-room-cleanup" on master and slave -> Everything is cleaned up -> OK
Removed DIR_ROOMS folder -> Everything is cleaned up -> OK
Removed DIR_EXAMS folder -> Everything is cleaned up -> OK
Changed advisory to make it more clear that the fqdn is also used for the connection and not just the certificate verification. (13fd8084)
This error happened in all domains that are not using the self signed certificates that have the hostname in the "Subject Alternative Name" field.
(In reply to Daniel Tröder from comment #2)
> The usage of just the hostname has worked since the beginning of the script
> in Oct'2016 (see Bug #40213). It is more likely that the customer has
> changed its DNS settings. Probably /etc/resolv.conf is missing the "search
> school.example.de" line.
> Anyway - using the FQDN is correct, and thus this has been fixed here.
This change of behaviour has been introduced with UCS 4.2-0 AFAIR (dunno if this change was part of univention-python or python itself; but the used hostname for connection has to match to the SSL certificate otherwise the connection is refused).
UCS@school 4.2 v8 has been released.
If this error occurs again, please clone this bug.