Univention Bugzilla – Bug 53013
Update fails with old certificate infrastructure (SSL routines:SSL_CTX_use_certificate:ee key too small)
Last modified: 2023-01-25 15:32:46 CET
updated an old system, updates fails and slapd can not start -> slapd -d -1 ... TLS: could not use certificate `/etc/univention/ssl/master.old.test/cert.pem'. TLS: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small ../ssl/ssl_rsa.c:310 6062fb02 main: TLS init def ctx failed: -1 6062fb02 slapd destroy: freeing system resources. 6062fb02 OVER: db_destroy 6062fb02 slapd stopped. 6062fb02 connections_destroy: nothing to destroy. -> openssl x509 -in /etc/univention/ssl/master.old.test/cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C = de, ST = bremen, L = bremen, O = univention, OU = edv, CN = Univention Corporate Server Root CA, emailAddress = ssl@old.test Validity Not Before: Mar 22 09:21:48 2021 GMT Not After : Mar 21 09:21:48 2026 GMT Subject: C = de, ST = bremen, L = bremen, O = univention, OU = edv, CN = master.old.test, emailAddress = ssl@old.test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit)
This is because of weak keys, am I right? Then we should add a check in the preup.sh and force users to update their PKI.
We probably have the same problem with keys generated for the UCS mail server (dovecot).
Just a quick note, https://help.univention.com/t/renewing-the-ssl-certificates/37 does not help in this situation as it only "renews" the certificate, not the key, i had to univention-certificate new -name master.old.test in order to be able to update (see test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg)
(In reply to Florian Best from comment #3) > We probably have the same problem with keys generated for the UCS mail > server (dovecot). and apache /var/log/apache2/error.log: Fri Apr 09 12:57:08.936573 2021] [ssl:emerg] [pid 21690] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak AH00016: Configuration Failed [Fri Apr 09 13:04:41.567990 2021] [ssl:emerg] [pid 24466] AH02562: Failed to configure certificate ucs-sso.old.test:443:0 (with chain), check /etc/univention/ssl/ucs-sso.old.test/cert.pem [Fri Apr 09 13:04:41.568371 2021] [ssl:emerg] [pid 24466] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak AH00016: Configuration Failed [Fri Apr 09 13:05:32.953451 2021] [ssl:emerg] [pid 1795] AH02562: Failed to configure certificate ucs-sso.old.test:443:0 (with chain), check /etc/univention/ssl/ucs-sso.old.test/cert.pem [Fri Apr 09 13:05:32.955336 2021] [ssl:emerg] [pid 1795] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak AH00016: Configuration Failed [Fri Apr 09 13:05:38.314586 2021] [ssl:emerg] [pid 2187] AH02562: Failed to configure certificate ucs-sso.old.test:443:0 (with chain), check /etc/univention/ssl/ucs-sso.old.test/cert.pem [Fri Apr 09 13:05:38.314647 2021] [ssl:emerg] [pid 2187] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak AH00016: Configuration Failed
[5.0-0 7fb09df237] Bug #53013: check tls public key size For testing: lower the key size: "ucr set ssl/default/bits=1024" recreate the cert: "univention-certificate new -name $fqdn"
Update with weak cert is stopped: OK Wording and explanation of what to do to continue: OK Updating after following instructions: OK Verified
Question: does the fix also work for system which overwrote the UCR variables for the apache2,dovecot,etc. certificates?
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".