Bug 47858 - univention-adsearch does not find certificates
univention-adsearch does not find certificates
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-25 14:10 CEST by Christian Völker
Modified: 2018-10-24 17:27 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Ticket number: 2018070421000176
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-09-25 14:10:36 CEST
root@ucsdc1:/tmp# univention-adsearch cn=user
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch", line 198, in <module>
    lo.start_tls_s()
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 609, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)', 'desc': 'Connect error'}
 

But certificate exists and is referenced:

root@ucsdc1:/etc/univention/connector/ad# ll
insgesamt 320
-rw------- 1 root root  1306 Mai 23  2016 ad_cert_20160523_142543.pem
-rw------- 1 root root  2009 Jan  5  2017 ad_cert_20170105_121042.pem
[...]
 
root@ucsdc1:/etc/univention/connector/ad# ucr search connector/ad
connector/ad/autostart: yes
connector/ad/ldap/base: DC=ltbbg1,DC=lvnbb,DC=de
connector/ad/ldap/binddn: ucsdc1$
connector/ad/ldap/bindpw: /etc/machine.secret
connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20170105_121042.pem


Verfied the certificate is valid.
Comment 1 Christian Völker univentionstaff 2018-09-25 14:12:32 CEST
A workaround has been implemented on 4.3-1 but it should be fixed properly to be update safe.


root@ucsdc1:~# diff -Nur /usr/sbin/univention-adsearch univention-adsearch
--- /usr/sbin/univention-adsearch       2018-06-15 12:21:37.000000000 +0200
+++ univention-adsearch 2018-07-05 21:39:11.084541168 +0200
@@ -184,7 +184,8 @@
 if login_pw[-1] == '\n':
        login_pw = login_pw[:-1]
 
-ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+# ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+ca_file = '/var/cache/univention-ad-connector/CAcert-connector.pem'
 
 start_tls = 2 if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) else 0
 if start_tls and ca_file:
Comment 2 Arvid Requate univentionstaff 2018-10-01 19:14:38 CEST
How do the two files

* /etc/univention/connector/ad/ad_cert_20170105_121042.pem

* /var/cache/univention-ad-connector/CAcert-connector.pem

relate to each other? In the initial bug report you write that the first path is correct and the certificate valid but then the workaround is to use a different path?
Comment 3 Stephan Hendl 2018-10-02 16:10:03 CEST
(In reply to Arvid Requate from comment #2)
> How do the two files
> 
> * /etc/univention/connector/ad/ad_cert_20170105_121042.pem
This is the "Landtag Brandenburg AD Sub CA"-Certificate which is a Sub CA from the UCS Root CA.
openssl x509 -in /etc/univention/connector/ad/ad_cert_20170105_121042.pem -fingerprint
SHA1 Fingerprint=2B:A5:C2:3C:E1:89:C0:36:E5:E7:A6:5F:E0:07:BB:7F:0F:50:BB:22

 
> * /var/cache/univention-ad-connector/CAcert-connector.pem
This is the UCS Root certificate.
openssl x509 -in /var/cache/univention-ad-connector/CAcert-connector.pem -fingerprint
SHA1 Fingerprint=18:FB:91:D1:B2:CD:8B:8F:75:50:50:39:67:AF:1F:70:D3:40:4E:96
 openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -fingerprint
SHA1 Fingerprint=18:FB:91:D1:B2:CD:8B:8F:75:50:50:39:67:AF:1F:70:D3:40:4E:96
Comment 4 Stephan Hendl 2018-10-02 16:12:04 CEST
This leads also to a non functional behavior of the NAGIOS-Module for the AD-Connector:

ADCONNECTOR CRITICAL: Could not connect to AD server!
Comment 5 Stephan Hendl 2018-10-02 16:14:16 CEST
Our Windows servers get their certificates from the Microsoft Certificate Service running on 2012R2 server. This Microsoft CA is a Sub CA of the Univention Root CA.
Comment 6 Arvid Requate univentionstaff 2018-10-16 16:12:22 CEST
b0a4897230 | make univention-adsearch use the certificate chain file
ff06c509da | Advisory
Comment 7 Arvid Requate univentionstaff 2018-10-16 19:59:46 CEST
edaf5f922e | Fix a variable name
3042c14056 | Advisory
Comment 8 Felix Botner univentionstaff 2018-10-19 14:39:15 CEST
OK - ad connector setup with SSL
OK - ca file bundle
 * rm /var/cache/univention-ad-connector/CAcert-connector.pem
 * univention-adsearch cn=Administrator
 * openssl crl2pkcs7 -nocrl -certfile CAcert-connector.pem  | 
      openssl pkcs7 -print_certs -noout

subject=/C=DE/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=Y3SMfZae)/emailAddress=ssl@four.three
issuer=/C=DE/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=Y3SMfZae)/emailAddress=ssl@four.three

subject=/DC=test/DC=w2k12/CN=w2k12-WIN-M1LHUHEJFSI-CA
issuer=/DC=test/DC=w2k12/CN=w2k12-WIN-M1LHUHEJFSI-CA

OK - YAMl
Comment 9 Arvid Requate univentionstaff 2018-10-24 17:27:01 CEST
<http://errata.software-univention.de/ucs/4.3/289.html>