Univention Bugzilla – Bug 52766
Kelvin API doesn't work if apache2 is configured to use a non-UCS-CA certificate
Last modified: 2022-05-12 11:06:18 CEST
root@ucs01:~# univention-app info UCS: 4.4-7 errata887 Installed: prometheus-node-exporter=1.1 self-service=4.0 self-service-backend=4.0 ucsschool=4.4 v8 ucsschool-kelvin-rest-api=1.2.0 4.3/admin-dashboard=1.2 4.3/prometheus=1.1 Upgradable: Expected behaviour: I can configure apache2 to use a different certificate than the default via UCRVs apache2/ssl/{ca,certificate,key} and the Kelvin API still works. Observed behaviour: If I configure apache2 to use a certificate that is not signed by the local UCS CA (e.g. a Let's Encrypt certificate), the Kelvin API returns an "Internal Server Error" while trying to read from or write to LDAP. As far as I understand, the Kelvin REST API server utilises a UDM REST API client which then talks to the UDM REST API server to create/modify/delete LDAP objects (see https://docs.software-univention.de/ucsschool-kelvin-rest-api/overview.html). The UDM REST API client now tries to verify the SSL certificate when talking to the UDM REST API server. Since the UDM REST API server is provided via apache2, it uses the certificate configured via UCRVs apache2/ssl/{ca,certificate,key}. Unfortunately, Kelvin has the UCS CA certificate hardcoded for ssl verification and passes this on to the UDM REST API client: https://git.knut.univention.de/univention/ucsschool/-/blob/feature/kelvin/kelvin-api/ucsschool/kelvin/constants.py#L77 https://git.knut.univention.de/univention/ucsschool/-/blob/feature/kelvin/kelvin-api/ucsschool/kelvin/ldap_access.py#L69 This leads to a situation where the certificate can't be verified, if it's not signed by the local UCS CA. The operation aborts with a traceback that can be found in /var/log/univention/ucsschool-kelvin-rest-api/http.log (see attachment) and Kelvin returns "Internal Server Error". I propose that it should be possible to: a) easily configure other CA certificates for the verification b) easily replace the copy of the UCS CA certificate inside the Kelvin Docker container, because certificates tend to expire at some point Maybe this can be done via the Kelvin App Settings?
QA Checklist 1. Certificates other than a UCS CA signed certificate can be used. 2. The scenario is tested with a different (e.g. Let's Encrypt) certificate. 3. Documentation exists and is comprehensive 4. Tests exist and pass 5. Kelvin is released
The fix, including tests was implemented in [juern/52766_kelvin_certs] 0420122b5 Bug #52766: add documentation [juern/52766_kelvin_certs] df34d30ea Bug #52766: add custom crt support
OK: code review OK: changelog OK: manual tests OK: automated test by Jenkins
Documentation update is online.
Kelvin 1.4.4 has been released.