Univention Bugzilla – Bug 49727
Restart stunnel & univention-firewall service after joining DC Backup to make SAML failover work out-of-the-box
Last modified: 2021-05-26 13:28:01 CEST
After joining an additional DC Backup into a UCS 4.4 domain, the following was logged in the DC Master syslog: Jun 25 13:40:05 master univention-saml-stunnel: LOG3[13]: s_connect: connect 10.200.7.81:11212: Connection refused (111) Jun 25 13:40:05 master univention-saml-stunnel: LOG3[13]: No more addresses to connect Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup.w2k12.test.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] Backtrace: Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 11 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 10 [builtin] (MemcachePool::get) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:54 (SimpleSAML_Auth_Simple::isAuthenticated) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:264 (SimpleSAML_IdP::isAuthenticated) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:404 (SimpleSAML_IdP::handleAuthenticationRequest) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) Jun 25 13:40:05 master simplesamlphp[966]: 3 [7a625964fb] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A) connection to the backups memcache could not be established. On the dc backup the stunnel4 service was not running, journalctl logged: Jun 25 12:28:35 backup stunnel4[820]: Starting TLS tunnels: /etc/stunnel/univention_saml.conf: [ ] Clients allowed=500 Jun 25 12:28:35 backup stunnel4[820]: [.] stunnel 5.39 on x86_64-pc-linux-gnu platform Jun 25 12:28:35 backup stunnel4[820]: [.] Compiled with OpenSSL 1.1.0f 25 May 2017 Jun 25 12:28:35 backup stunnel4[820]: [.] Running with OpenSSL 1.1.0j 20 Nov 2018 Jun 25 12:28:35 backup stunnel4[820]: [.] Update OpenSSL shared libraries or rebuild stunnel Jun 25 12:28:35 backup stunnel4[820]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Jun 25 12:28:35 backup stunnel4[820]: [ ] errno: (*__errno_location ()) Jun 25 12:28:35 backup stunnel4[820]: [.] Reading configuration from file /etc/stunnel/univention_saml.conf Jun 25 12:28:35 backup stunnel4[820]: [.] UTF-8 byte order mark not detected Jun 25 12:28:35 backup stunnel4[820]: [ ] Cron thread initialized Jun 25 12:28:35 backup stunnel4[820]: [.] FIPS mode disabled Jun 25 12:28:35 backup stunnel4[820]: [ ] Compression disabled Jun 25 12:28:35 backup stunnel4[820]: [ ] Snagged 64 random bytes from /dev/urandom Jun 25 12:28:35 backup stunnel4[820]: [ ] PRNG seeded successfully Jun 25 12:28:35 backup stunnel4[820]: [ ] Initializing service [memcached] Jun 25 12:28:35 backup stunnel4[820]: [ ] Loading certificate from file: Jun 25 12:28:35 backup stunnel4[820]: [!] error queue: 140DC002: error:140DC002:SSL routines:use_certificate_chain_file:system lib Jun 25 12:28:35 backup stunnel4[820]: [!] error queue: 20074002: error:20074002:BIO routines:file_ctrl:system lib Jun 25 12:28:35 backup stunnel4[820]: [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory Jun 25 12:28:35 backup stunnel4[820]: [!] Service [memcached]: Failed to initialize TLS context Jun 25 12:28:35 backup stunnel4[820]: failed Jun 25 12:28:35 backup stunnel4[820]: You should check that you have specified the pid= in you configuration file But the configuration file /etc/stunnel/univention_saml.conf looked fine when inspecting. Restarting the stunnel4 service on the DC backup worked fine. We should restart stunnel4 during the join, e.g. in 91univention-saml
Restarting stunnel has been added to ucs5: bug 52975 But I missed that the firewall needs to be restarted as well :(