Bug 52879 - cups uses self signed certificate instead of ucs-ca-signed certificate
Summary: cups uses self signed certificate instead of ucs-ca-signed certificate
Status: VERIFIED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Printserver
Version: UCS 4.4
Hardware: Other All
: P5 normal
Target Milestone: UCS 5.0-9
Assignee: Marius Meschter
QA Contact: Julia Bremer
URL: https://help.univention.com/t/cups-us...
Keywords:
Depends on: 13583
Blocks: ucs509meta
  Show dependency treegraph
 
Reported: 2021-03-09 11:27 CET by Daniel Duchon
Modified: 2024-09-16 14:22 CEST (History)
9 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review: Yes
Ticket number: 2021030921000293, 2024062821000077
Bug group (optional):
Customer ID: 00009
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Duchon univentionstaff 2021-03-09 11:27:25 CET 
In a default installation, CUPS does not use the provided ucs-ca signed certificate, but generates its own new one.

Sample output of /etc/cups/ssl:
example1.example.net.crt
example1.example.net.key
server.crt -> /etc/univention/ssl/example1.example.net/cert.pem
server.key -> /etc/univention/ssl/example1.example.net/private.key

It seems that we basically want to use the ucs-certificate, but a suitable configuration parameter is still missing

You can reproduce this by installing a default cups-setup (univention-app install cups), then open https://<YOUR.SERVER.URL>:631, and then just simply check the certificate within your browser.
Comment 1 Arvid Requate univentionstaff 2023-06-13 18:07:34 CEST 
Patch proposal from last Hackathon:
* https://git.knut.univention.de/univention/ucs/-/commit/f23f78a8d270242a7e6e91ac45755aeeeae33f55
Comment 2 Florian Best univentionstaff 2023-06-13 18:16:41 CEST 
(In reply to Arvid Requate from comment #1)
> Patch proposal from last Hackathon:
> *
> https://git.knut.univention.de/univention/ucs/-/commit/
> f23f78a8d270242a7e6e91ac45755aeeeae33f55
→ which is part of branch arequate/ipp-everywhere and since rebase it's f23f78a8d270242a7e6e91ac45755aeeeae33f55
Comment 3 Mirac Erdemiroglu univentionstaff 2024-07-01 16:48:45 CEST 
Customer affected 2024062821000077
Comment 5 Jan-Luca Kiok univentionstaff 2024-07-15 13:33:23 CEST 
Work on this has been started and reviewed, but since this is a potentially backwards-incompatible change we decided to release it with the next patchlevel release 5.0-9 in September and not as an erratum to not break anything (especially regarding driverless printing / IPP).
Comment 7 Julia Bremer univentionstaff 2024-09-16 14:22:42 CEST 
OK: merged to 5.0-9
OK: built
OK: ucs certificate is used
OK: certificate is valid from the UCS host