Univention Bugzilla – Bug 47911
schoolimport/ping: ConnectionError: hostname '**' doesn't match '**' (SSL certificate verification error)
Last modified: 2022-03-10 10:56:44 CET
Version: 4.3-1 errata160 (Neustadt) - UCS@school 4.3 v4 Interner Server-Fehler in "schoolimport/ping". Request: schoolimport/ping Traceback (most recent call last): File "%PY2.7%/univention/management/console/protocol/modserver.py", line 182, in _recv self.handle(msg) File "%PY2.7%/univention/management/console/protocol/modserver.py", line 292, in handle self.__handler.init() File "%PY2.7%/univention/management/console/modules/schoolimport/__init__.py", line 61, in init self.client = Client(self.username, self.password, log_level=Client.LOG_RESPONSE) File "%PY2.7%/ucsschool/http_api/client.py", line 376, in __init__ setattr(self, cls_name, kls(self)) File "%PY2.7%/ucsschool/http_api/client.py", line 474, in __init__ self.resource_url = self.client.resource_urls[self.resource_name] File "%PY2.7%/ucsschool/http_api/client.py", line 386, in resource_urls self._resource_urls = self.call_api('get', '.') File "%PY2.7%/ucsschool/http_api/client.py", line 451, in call_api raise ConnectionError(str(exc)) ConnectionError: hostname '**' doesn't match '**' Role: domaincontroller_master
(In reply to Johannes Keiser from comment #0) > ConnectionError: hostname '**' doesn't match '**' Is '**' literal or anonymized?
(In reply to Daniel Tröder from comment #1) > (In reply to Johannes Keiser from comment #0) > > ConnectionError: hostname '**' doesn't match '**' > > Is '**' literal or anonymized? Anonymized
This change allows to set two new UCRVs: ucsschool/import/http_api/client/server (default FQDN) ucsschool/import/http_api/client/ssl_verify (default true) In the above scenario it should be enough to set ucsschool/import/http_api/client/server=** (and run "service univention-management-console-server restart"). The deactivation of the SSL certificate verification should be avoided at all costs! [dtroeder/47911_fqdn_mismatch be952312d] Bug #47911: add UCRVs to set HTTP-API server address and deactivate SSL certificate verification
Reported again: Version: 4.3-2 errata376 (Neustadt) - UCS@school 4.3 v6 Interner Server-Fehler in "schoolimport/ping". Request: schoolimport/ping Traceback (most recent call last): File "%PY2.7%/univention/management/console/protocol/modserver.py", line 186, in _recv self.handle(msg) File "%PY2.7%/univention/management/console/protocol/modserver.py", line 296, in handle self.__handler.init() File "%PY2.7%/univention/management/console/modules/schoolimport/__init__.py", line 62, in init self.client = Client(self.username, self.password, log_level=Client.LOG_RESPONSE) File "%PY2.7%/ucsschool/http_api/client.py", line 382, in __init__ setattr(self, cls_name, kls(self)) File "%PY2.7%/ucsschool/http_api/client.py", line 480, in __init__ self.resource_url = self.client.resource_urls[self.resource_name] File "%PY2.7%/ucsschool/http_api/client.py", line 392, in resource_urls self._resource_urls = self.call_api('get', '.') File "%PY2.7%/ucsschool/http_api/client.py", line 457, in call_api raise ConnectionError(str(exc)) ConnectionError: hostname '***' doesn't match either of '***', '***' Role: domaincontroller_master
6eec6ceb7 Bug #47911: update advisory 78e67d0e6 Bug #47911: Merge branch 'dtroeder/47911_fqdn_mismatch' into 4.3 73fc1dccb Bug #47911: add manual entry for ucsschool/import/http_api/client/server da5f31efd Bug #47911: add advisory de261b019 Bug #47911: add changelog entry 91ec6ee9a Bug #47911: update UCR variable descriptions Package: ucs-school-umc-import Version: 1.0.1-5A~4.3.0.201812201355 Branch: ucs_4.3-0 Scope: ucs-school-4.3 Test method: → use test.$domainname in certificate instead of $hostname.$domainname eval "$(ucr shell)" univention-certificate new -name "test.$domainname" -days 365 ucr set apache2/ssl/certificate=/etc/univention/ssl/test.$domainname/cert.pem apache2/ssl/key=/etc/univention/ssl/test.$domainname/private.key systemctl restart apache2 → got mentioned traceback → set new hostname for http_api client eval "$(ucr shell)" sed -i -re "s/($hostname)$/\1 test.$domainname/" /etc/hosts ucr set ucsschool/import/http_api/ALLOWED_HOSTS=$hostname.$domainname,,test.$domainname,127.0.0.1,localhost ucr set ucsschool/import/http_api/client/server=test.$domainname pkill -f " -m schoolimport" service apache2 restart service ucs-school-import-http-api restart service celery-worker-ucsschool-import restart → no problem any longer (In reply to Daniel Tröder from comment #5) > In the above scenario it should be enough to set > ucsschool/import/http_api/client/server=** (and run "service > univention-management-console-server restart"). → logout and relogin is sufficient → new UMC module process (or pkill ;-)
OK: manual entry OK: UCRV descriptions OK: advisory
Errata published https://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html#changelog:ucsschool:2018-12-21
*** Bug 54137 has been marked as a duplicate of this bug. ***