First Last Prev Next    This bug is not in your last search results.
Bug 50770 - Bug or Feature? Shortname vs. FQDN in https:// Requests
Bug or Feature? Shortname vs. FQDN in https:// Requests
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-3-errata
Assigned To: Jannik Ahlers
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-03 16:45 CET by Christian Völker
Modified: 2020-03-24 09:05 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020010921000717
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2020-02-03 16:45:42 CET 
Customer installed for some reason wildcard certificates in Apache on all his UCS servers.

Thus, all https:// requests used this wildcard certificate.

Now there is an issue if the hostname (short) is not mentioned in the certificate as subject alternate name:

"slave" does not match to "*.local.domain.com"

Thus, curl reports an error:
==================================
root@ucs:~# curl https://slave
curl: (51) SSL: no alternative certificate subject name matches target host name 'slave'
==================================

Using fqdn it works fine:
==================================
root@ucs:~# curl https://slave.local.domain.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://slave.domain.com/univention/">here</a>.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at slave.domain.com Port 443</address>
</body></html>
==================================


So using the shortname is some sort of security enhancement as it verifies if the hostname is mentioned in the certificate. 

Otherwise we can prevent issues on the customers using wildcards by simply using fqdn which is much more secure...
Comment 1 Dirk Wiesenthal univentionstaff 2020-02-26 13:13:55 CET 
*** Bug 50855 has been marked as a duplicate of this bug. ***
Comment 2 Jannik Ahlers univentionstaff 2020-03-12 16:19:26 CET 
I had to change the frontend to use the fqdn instead of the hostname on different locations.
The backend code had to be adapted as well. It should be backwards compatible to other ucs versions, which is important for the global app center to work.

46bf9b3e51 (HEAD -> 4.4-3) Bug #50770: yaml
0631187a09 (origin/4.4-3) Bug #50770: yaml
bbde3beeab Revert "Bug #50770: yaml"
458b09de46 Bug #50770: yaml
5a46cbc386 Bug #50770: changelog
cacccce973 Bug #50770: fix global appcenter for wildcard ssl certificates
Comment 3 Felix Botner univentionstaff 2020-03-16 09:19:40 CET 
80_docker.88_docker_env_file fails with 

20-03-16 05:29:04.520367) Traceback (most recent call last):
(2020-03-16 05:29:04.520454)   File "88_docker_env_file", line 64, in <module>
(2020-03-16 05:29:04.520517)     assert ('TEST_HOSTNAME=%s' % ucr.get('hostname')) in env_container, env_container
(2020-03-16 05:29:04.520590) AssertionError: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
(2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed
(2020-03-16 05:29:04.520616) HOME=/root
(2020-03-16 05:29:04.520640) 

could this related to this bug?, please have look
Comment 4 Felix Botner univentionstaff 2020-03-16 11:26:21 CET 
(In reply to Felix Botner from comment #3)
> 80_docker.88_docker_env_file fails with 
> 
> 20-03-16 05:29:04.520367) Traceback (most recent call last):
> (2020-03-16 05:29:04.520454)   File "88_docker_env_file", line 64, in
> <module>
> (2020-03-16 05:29:04.520517)     assert ('TEST_HOSTNAME=%s' %
> ucr.get('hostname')) in env_container, env_container
> (2020-03-16 05:29:04.520590) AssertionError:
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> (2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed
> (2020-03-16 05:29:04.520616) HOME=/root
> (2020-03-16 05:29:04.520640) 
> 
> could this related to this bug?, please have look

no, nothing todo with this bug, problem is the following, 

the test uses
 'univention-app', 'shell', name, 'env'
to get the container env, and univention-app uses appcenter/apps/APP_ID/container as container id for the main service, but during create this variable can be set to the wrong container is the services using the same image
Comment 5 Felix Botner univentionstaff 2020-03-16 11:31:01 CET 
(In reply to Felix Botner from comment #4)
> (In reply to Felix Botner from comment #3)
> > 80_docker.88_docker_env_file fails with 
> > 
> > 20-03-16 05:29:04.520367) Traceback (most recent call last):
> > (2020-03-16 05:29:04.520454)   File "88_docker_env_file", line 64, in
> > <module>
> > (2020-03-16 05:29:04.520517)     assert ('TEST_HOSTNAME=%s' %
> > ucr.get('hostname')) in env_container, env_container
> > (2020-03-16 05:29:04.520590) AssertionError:
> > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> > (2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed
> > (2020-03-16 05:29:04.520616) HOME=/root
> > (2020-03-16 05:29:04.520640) 
> > 
> > could this related to this bug?, please have look
> 
> no, nothing todo with this bug, problem is the following, 
> 
> the test uses
>  'univention-app', 'shell', name, 'env'
> to get the container env, and univention-app uses
> appcenter/apps/APP_ID/container as container id for the main service, but
> during create this variable can be set to the wrong container is the
> services using the same image

see Bug #50969
Comment 6 Felix Botner univentionstaff 2020-03-16 16:22:49 CET 
* OK - global App install from New on OLD (host: FQDN)
* OK - global App install from OLD on NEW
* OK - global App install from New on NEW (host: FQDN)
* OK - local App install
* OK - yaml
Comment 7 Erik Damrose univentionstaff 2020-03-18 12:27:48 CET 
<http://errata.software-univention.de/ucs/4.4/485.html>
First Last Prev Next    This bug is not in your last search results.