Bug 52879 – cups uses self signed certificate instead of ucs-ca-signed certificate

Bug 52879 - cups uses self signed certificate instead of ucs-ca-signed certificate


Summary:	cups uses self signed certificate instead of ucs-ca-signed certificate

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Printserver
Version:	UCS 4.4
Hardware:	Other All

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:	https://help.univention.com/t/cups-us...
Keywords:

Depends on:	13583
Blocks:
	Show dependency tree / graph

Reported:	2021-03-09 11:27 CET by Daniel Duchon
Modified:	2023-06-13 18:16 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021030921000293
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2021-03-09 11:27:25 CET

In a default installation, CUPS does not use the provided ucs-ca signed certificate, but generates its own new one.

Sample output of /etc/cups/ssl:
example1.example.net.crt
example1.example.net.key
server.crt -> /etc/univention/ssl/example1.example.net/cert.pem
server.key -> /etc/univention/ssl/example1.example.net/private.key

It seems that we basically want to use the ucs-certificate, but a suitable configuration parameter is still missing

You can reproduce this by installing a default cups-setup (univention-app install cups), then open https://<YOUR.SERVER.URL>:631, and then just simply check the certificate within your browser.

Comment 1 Arvid Requate

2023-06-13 18:07:34 CEST

Patch proposal from last Hackathon:
* https://git.knut.univention.de/univention/ucs/-/commit/f23f78a8d270242a7e6e91ac45755aeeeae33f55

Comment 2 Florian Best

2023-06-13 18:16:41 CEST

(In reply to Arvid Requate from comment #1)
> Patch proposal from last Hackathon:
> *
> https://git.knut.univention.de/univention/ucs/-/commit/
> f23f78a8d270242a7e6e91ac45755aeeeae33f55
→ which is part of branch arequate/ipp-everywhere and since rebase it's f23f78a8d270242a7e6e91ac45755aeeeae33f55