Bug 47911 - schoolimport/ping: ConnectionError: hostname '**' doesn't match '**' (SSL certificate verification error)
schoolimport/ping: ConnectionError: hostname '**' doesn't match '**' (SSL cer...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - User Import UI
UCS@school 4.3
Other Linux
: P5 normal (vote)
: UCS@school 4.3 v6-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on:
Blocks: 49471 49400 49564
  Show dependency treegraph
 
Reported: 2018-10-04 14:56 CEST by Johannes Keiser
Modified: 2019-05-28 16:59 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.057
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018120721000526, 2018083021000795, 2018120421000193
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Keiser univentionstaff 2018-10-04 14:56:03 CEST
Version: 4.3-1 errata160 (Neustadt) - UCS@school 4.3 v4

Interner Server-Fehler in "schoolimport/ping".
Request: schoolimport/ping

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 182, in _recv
    self.handle(msg)
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 292, in handle
    self.__handler.init()
  File "%PY2.7%/univention/management/console/modules/schoolimport/__init__.py", line 61, in init
    self.client = Client(self.username, self.password, log_level=Client.LOG_RESPONSE)
  File "%PY2.7%/ucsschool/http_api/client.py", line 376, in __init__
    setattr(self, cls_name, kls(self))
  File "%PY2.7%/ucsschool/http_api/client.py", line 474, in __init__
    self.resource_url = self.client.resource_urls[self.resource_name]
  File "%PY2.7%/ucsschool/http_api/client.py", line 386, in resource_urls
    self._resource_urls = self.call_api('get', '.')
  File "%PY2.7%/ucsschool/http_api/client.py", line 451, in call_api
    raise ConnectionError(str(exc))
ConnectionError: hostname '**' doesn't match '**'

Role: domaincontroller_master
Comment 1 Daniel Tröder univentionstaff 2018-10-04 15:35:17 CEST
(In reply to Johannes Keiser from comment #0)
> ConnectionError: hostname '**' doesn't match '**'

Is '**' literal or anonymized?
Comment 2 Johannes Keiser univentionstaff 2018-10-04 15:55:39 CEST
(In reply to Daniel Tröder from comment #1)
> (In reply to Johannes Keiser from comment #0)
> > ConnectionError: hostname '**' doesn't match '**'
> 
> Is '**' literal or anonymized?

Anonymized
Comment 5 Daniel Tröder univentionstaff 2018-10-05 09:24:25 CEST
This change allows to set two new UCRVs:

ucsschool/import/http_api/client/server (default FQDN)
ucsschool/import/http_api/client/ssl_verify (default true)

In the above scenario it should be enough to set ucsschool/import/http_api/client/server=** (and run "service univention-management-console-server restart").

The deactivation of the SSL certificate verification should be avoided at all costs!

[dtroeder/47911_fqdn_mismatch be952312d] Bug #47911: add UCRVs to set HTTP-API server address and deactivate SSL certificate verification
Comment 6 Johannes Keiser univentionstaff 2018-12-19 14:47:05 CET
Reported again: Version: 4.3-2 errata376 (Neustadt) - UCS@school 4.3 v6

Interner Server-Fehler in "schoolimport/ping".
Request: schoolimport/ping

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 186, in _recv
    self.handle(msg)
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 296, in handle
    self.__handler.init()
  File "%PY2.7%/univention/management/console/modules/schoolimport/__init__.py", line 62, in init
    self.client = Client(self.username, self.password, log_level=Client.LOG_RESPONSE)
  File "%PY2.7%/ucsschool/http_api/client.py", line 382, in __init__
    setattr(self, cls_name, kls(self))
  File "%PY2.7%/ucsschool/http_api/client.py", line 480, in __init__
    self.resource_url = self.client.resource_urls[self.resource_name]
  File "%PY2.7%/ucsschool/http_api/client.py", line 392, in resource_urls
    self._resource_urls = self.call_api('get', '.')
  File "%PY2.7%/ucsschool/http_api/client.py", line 457, in call_api
    raise ConnectionError(str(exc))
ConnectionError: hostname '***' doesn't match either of '***', '***'

Role: domaincontroller_master
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2018-12-20 14:00:41 CET
6eec6ceb7 Bug #47911: update advisory
78e67d0e6 Bug #47911: Merge branch 'dtroeder/47911_fqdn_mismatch' into 4.3
73fc1dccb Bug #47911: add manual entry for ucsschool/import/http_api/client/server
da5f31efd Bug #47911: add advisory
de261b019 Bug #47911: add changelog entry
91ec6ee9a Bug #47911: update UCR variable descriptions


Package: ucs-school-umc-import
Version: 1.0.1-5A~4.3.0.201812201355
Branch: ucs_4.3-0
Scope: ucs-school-4.3


Test method:
→ use test.$domainname in certificate instead of $hostname.$domainname
eval "$(ucr shell)"
univention-certificate new -name "test.$domainname" -days 365
ucr set apache2/ssl/certificate=/etc/univention/ssl/test.$domainname/cert.pem apache2/ssl/key=/etc/univention/ssl/test.$domainname/private.key
systemctl restart apache2
→ got mentioned traceback
→ set new hostname for http_api client
eval "$(ucr shell)"
sed -i -re "s/($hostname)$/\1 test.$domainname/" /etc/hosts
ucr set ucsschool/import/http_api/ALLOWED_HOSTS=$hostname.$domainname,,test.$domainname,127.0.0.1,localhost
ucr set ucsschool/import/http_api/client/server=test.$domainname
pkill -f " -m schoolimport"
service apache2 restart
service ucs-school-import-http-api restart
service celery-worker-ucsschool-import restart
→ no problem any longer


(In reply to Daniel Tröder from comment #5)
> In the above scenario it should be enough to set
> ucsschool/import/http_api/client/server=** (and run "service
> univention-management-console-server restart").
→ logout and relogin is sufficient → new UMC module process (or pkill ;-)
Comment 9 Daniel Tröder univentionstaff 2018-12-20 15:10:25 CET
OK: manual entry
OK: UCRV descriptions
OK: advisory