Univention Bugzilla – Bug 53296
UMC in Portal does not work with "apache2/force_https: yes"
Last modified: 2022-01-20 18:08:54 CET
UMC in Portal relies on a HTTP request against UMC. But apache2/force_https: yes redirects a call against http://127.0.0.1/univention/get/modules to https://127.0.0.1/univention/get/modules which then in turn leads to: 23968 umc 21-05-20 17:10:15 [ WARNING]: Exception while getting modules: HTTPSConnectionPool(host='10.200.23.240', port=443): Max retries exceeded with url: /univention/get/modules (Caused by SSLError(SSLCertVerificationError("hostname '10.200.23.240' doesn't match either of 'primary.intranet.univention.de', 'primary'")))
Result: UMC does not show up at all. As if "ShowUMC" was not set in this portal. /univention/umc/ does not work at all (empty) /univention/management/ works...
Fix would be: ucr set apache2/force_https/exclude/request_uri/univention-portal=/univention/get
Customer reported that problem during another debug session. Ticket number is attached. If the correction is the ucr, why don't we publish that?
Created attachment 10893 [details] certificatefile .pem format that include subjectAlNames (DNS and IP)
During certificate creation process, this could be an example of solution using openssl with subject Alternative Name using openssl: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.pem -subj "/CN=ucs-1428.igs-ldap.intranet" -addext "subjectAltName=DNS:ucs-1428.igs-ldap.intranet,DNS:ucs-1428,IP:10.200.88.2,IP:127.0.0.1,DNS:localhost" Generating a RSA private key ....................................................................................++++ ................................++++ writing new private key to 'example.key' ----- (This keypair should be signed by CA -CA ca-cert.pem -CAkey ca-key.pem).
(In reply to fonsi from comment #9) > During certificate creation process, this could be an example of solution > using openssl with subject Alternative Name using openssl: > > openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout > example.key -out example.pem -subj "/CN=ucs-1428.igs-ldap.intranet" > -addext > "subjectAltName=DNS:ucs-1428.igs-ldap.intranet,DNS:ucs-1428,IP:10.200.88.2, > IP:127.0.0.1,DNS:localhost" > Generating a RSA private key > ............................................................................. > .......++++ > ................................++++ > writing new private key to 'example.key' > ----- > > (This keypair should be signed by CA -CA ca-cert.pem -CAkey ca-key.pem). The installation process it seems the following bash script: /ucs/base/univention-ssl/make-certificates.sh that invoke extensions on: _common_gen_cert () { And we should include new extensions to: /ucs/base/univention-ssl/extensions-example.sh cat extensions-example.sh | grep -A3 alt # alternative name subjectAltName = DNS:$fqdn, DNS:$hostname EOF such localmachine IP, localhost or 127.0.0.1
Approved solution for the bug: ucr set apache2/force_https/exclude/request_uri/univention-portal=/univention/get Approved solution for SSLCertVerificationError error: https://git.knut.univention.de/univention/ucs/-/merge_requests/225
The implemented solution configure the univention portal post-installetion for allow http request to the path: /univention/get for the univention-portal-managment when the ucr field apache2/force_https is setting to yes. The build process of univention-portal should make with the npm version: 8.1.3 And the commit changes list: d84c557ce0 Bug #53296: update YAML for univention-portal 50883c2236 Bug #53296 npm version fixed to 8.1.3 due to error when trying to build with latest version. aa9a514d0b Bug #53296: update univention-portal postinst
(Additional commits have been made) 458366d9e5 Bug #53296: update errate YAML fix version a46078c673 Bug #53296: update question mark instead of equal when exclusion https is setting OK: Portal tiles are shown again OK: UCR is not overwritten if already set OK: YAML (there was a leftover whitespace at the end of the version number, which I'll fix before releasing) Verified
<https://errata.software-univention.de/#/?erratum=5.0x191>
*** Bug 54245 has been marked as a duplicate of this bug. ***