Comment 1 Philipp Hahn 2023-02-02 19:22:28 CET

The last version of `sa-update` in UCS 4.4-x is `3.4.2-1~deb9u4` and has a known issue:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922499
 https://errata.software-univention.de/#/?version=4.4-x&package=spamassassin
 https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/spamassassin/?since=4.4-0

Instead of shipping an old version of the rules (1892922) via `utils.sh`, which need to be updated on a regular basis (1907102), fix the underlying problem, which is TLS related: the TLS certificate for `*.apache.org` is from Lets encrypt, which switch their root-CA in 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

# sa-update -vv
DNS TXT query: 2.4.3.updates.spamassassin.org -> 1907182
Update available for channel updates.spamassassin.org: -1 -> 1907182
DNS TXT query: mirrors.updates.spamassassin.org -> https://spamassassin.apache.org/updates/MIRRORED.BY, http://sa-update.spamassassin.org/MIRRORED.BY
fetching https://spamassassin.apache.org/updates/MIRRORED.BY
http: (curl) GET https://spamassassin.apache.org/updates/MIRRORED.BY, FAILED, status: exit 60

# curl -I https://spamassassin.apache.org/updates/MIRRORED.BY
curl: (60) SSL certificate problem: certificate has expired

spamassassin.apache.org is backed by fastly and SNI must be used to get the right certificate:

# openssl s_client -showcerts -servername spamassassin.apache.org -connect spamassassin.apache.org:443 </dev/null > /tmp/cert
# csplit /tmp/cert '/-----END CERTIFICATE-----/+1' '{*}'
# openssl x509 -noout -subject -issuer -startdate -enddate -in xx00
subject=CN = *.apache.org
issuer=C = US, O = Let's Encrypt, CN = R3
notBefore=Dec 14 18:46:30 2022 GMT
notAfter=Mar 14 18:46:29 2023 GMT
# openssl x509 -noout -subject -issuer -startdate -enddate -in xx01
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
notBefore=Sep  4 00:00:00 2020 GMT
notAfter=Sep 15 16:00:00 2025 GMT
# openssl x509 -noout -subject -issuer -startdate -enddate -in xx02
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Jan 20 19:14:03 2021 GMT
notAfter=Sep 30 18:14:03 2024 GMT
# openssl x509 -noout -subject -issuer -startdate -enddate -in /etc/ssl/certs/2e5ac55d.0
subject=O = Digital Signature Trust Co., CN = DST Root CA X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT

The VM is using the old *expired* chain rooted at the now expired 'DST X3' root CA.
Actually `cURL` should already end the validation at `ISRG Root X1`, which already is a trusted root CA, but the version in UCS-4.3 is too old:
# openssl x509 -noout -subject -issuer -startdate -enddate -in /etc/ssl/certs/ISRG_Root_X1.pem
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
notBefore=Jun  4 11:04:38 2015 GMT
notAfter=Jun  4 11:04:38 2035 GMT

[phahn/53751-spamassassin] 3c6e50adf5 test(spamassassin): better sa-update handling
 test/product-tests/component/dcd_all_roles.cfg                               | 14 --------------
 test/product-tests/component/dcd_redis_primary_change.cfg                    |  5 -----
 test/scenarios/app-testing/autotest-104-app-slave-no-samba.cfg               |  5 -----
 test/scenarios/app-testing/autotest-105-app-slave-s4.cfg                     |  5 -----
 test/scenarios/app-testing/autotest-114-release-appupdate-slave-no-samba.cfg |  5 -----
 test/scenarios/app-testing/autotest-115-release-appupdate-slave-s4.cfg       |  5 -----
 test/scenarios/app-testing/autotest-124-appupdate-slave-no-samba.cfg         |  5 -----
 test/scenarios/app-testing/autotest-125-appupdate-slave-s4.cfg               |  5 -----
 test/scenarios/autotest-070-update-master-no-samba.cfg                       |  5 -----
 test/scenarios/autotest-070-update-master-part-II-no-samba.cfg               |  5 -----
 ...
 23 files changed, 15 insertions(+), 133 deletions(-)

[phahn/53751-spamassassin] a456ca1a8c style(utils): shellcheck
 test/utils/utils.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comment 2 Philipp Hahn 2023-03-17 09:04:59 CET

*** Bug 54194 has been marked as a duplicate of this bug. ***

Comment 3 Philipp Hahn 2023-03-17 16:45:25 CET

The test was still failing because of multiple issues:
1. Root CA "DST X3" for https://spamassassin.apache.org/ expired
2. PGP key of `sa-update` expired.
3. Wrong file system permissions
4. Bug in "spamassassin.postinst configure" restarting `spamassassin.serice` during update from 4.4-9 to 5.0-0 despite `deb-systemd-helper was-enabled spamassassin.service`

[5.0-3] c862e676da fix(test/update-from-2.4): SA update v3
 test/utils/utils.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[5.0-3] 3550362c8a fix(test/update-from-2.4): SA update v2
 test/utils/utils.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

[5.0-3] 07151fe536 fix(test/update-from-2.4): SA update
 test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg | 3 ++-
 test/scenarios/update-testing/update-from-4.2-4.cfg           | 2 +-
 test/utils/utils.sh                                           | 5 -----
 3 files changed, 3 insertions(+), 7 deletions(-)

[5.0-3] 0a8476115f refactor(test/scenarios/update): code cleanup
 test/scenarios/appliance-testing/app-appliance-errata-test.cfg  |  3 +-
 test/scenarios/update-testing/update-from-1.2-backup2master.cfg |  1 -
 test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg   | 54 ++++++++++++-----------------
 test/scenarios/update-testing/update-from-4.2-4.cfg             |  1 -
 test/utils/utils.sh                                             |  8 ++---
 5 files changed, 28 insertions(+), 39 deletions(-)