Bug 46789 - api for app certificate management
api for app certificate management
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Felix Botner
Dirk Wiesenthal
Depends on:
  Show dependency treegraph
Reported: 2018-04-06 16:58 CEST by Felix Botner
Modified: 2018-06-06 16:16 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-04-06 16:58:51 CEST

Comment 1 Felix Botner univentionstaff 2018-04-06 17:16:19 CEST
hey dirk, please have a look

Comment 2 Dirk Wiesenthal univentionstaff 2018-04-11 18:20:05 CEST
Looks good.

Please remove the certificate update code specifically for appbox. It will not work as the Docker Host does not have access to the certificate for the Docker Container. Instead, we could do this via the new script.

This new script needs to be added in the dev package:
  actions/local_appcenter.py DevPopulateAppcenter

Also, there is a typo: docker.is_running needs to be called as docker.is_running().
Comment 3 Felix Botner univentionstaff 2018-04-20 12:41:26 CEST
merged to 4.3-0

* always cp root ca to /usr/local/share/ca-certificates/ucs.crt in container
* cp docker host cert to /etc/univention/ssl/docker-host-certificate/cert.pem
  (canonical name) and /etc/univention/ssl/fqdn/cert.pem
* added (hidden) switch --do-not-call-join-scripts (nothing todo with this bug,
  but we may need this in the future for app appliances and school)

added test 80_docker/72_app_update_certificates in ucs-test-docker

please reopen even if verified for wiki documentation
Comment 4 Quality Assurance univentionstaff 2018-05-04 16:43:07 CEST
--- mirror/ftp/4.3/unmaintained/component/4.3-0-errata/source/univention-appcenter_7.0.1-37A~
+++ apt/ucs_4.3-0-errata4.3-0/source/univention-appcenter_7.0.1-41A~
@@ -1,6 +1,18 @@
-7.0.1-37A~ [Mon, 16 Apr 2018 17:50:42 +0200] Univention builddaemon <buildd@univention.de>:
+7.0.1-41A~ [Fri, 20 Apr 2018 12:22:32 +0200] Univention builddaemon <buildd@univention.de>:
   * UCS auto build. No patches were applied to the original source package
+7.0.1-41 [Fri, 20 Apr 2018 12:21:18 +0200] Felix Botner <botner@univention.de>:
+  * Bug #46789: certificate management
+7.0.1-39 [Thu, 19 Apr 2018 17:31:31 +0200] Felix Botner <botner@univention.de>:
+  * Bug #46789: certificate management
+7.0.1-38 [Thu, 19 Apr 2018 14:43:20 +0200] Felix Botner <botner@univention.de>:
+  * Bug #46789: certificate management
 7.0.1-37 [Mon, 16 Apr 2018 17:49:30 +0200] Felix Botner <botner@univention.de>:
Comment 5 Dirk Wiesenthal univentionstaff 2018-05-30 13:27:51 CEST
Works just fine. Could you please fix this minor issue:

univention-app register takes an argument 'apps'. Could you use this approach instead of '--app' and '--all-apps'?
Comment 6 Felix Botner univentionstaff 2018-05-30 15:01:08 CEST
Comment 7 Dirk Wiesenthal univentionstaff 2018-05-31 06:31:59 CEST
Due to now missing --app:

Same here:
  You now need to call the action like this: call(apps=[app])

In the Docker action:
  You can safely remove setup_parser()
  You test os.path.isfile before calling _copy_host_cert and in _copy_host_cert again
Comment 8 Felix Botner univentionstaff 2018-05-31 10:33:19 CEST
fixed ucs-test and univention-appcenter
Comment 9 Dirk Wiesenthal univentionstaff 2018-05-31 17:46:18 CEST
Ok, works
Comment 10 Erik Damrose univentionstaff 2018-06-06 16:16:27 CEST