Bug 53963 - Veyon certificate has the same name on each schoolslave
Veyon certificate has the same name on each schoolslave
Product: UCS@school
Classification: Unclassified
Component: Veyon
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v9-errata
Assigned To: Daniel Tröder
Ole Schwiegert
Depends on:
  Show dependency treegraph
Reported: 2021-10-20 11:43 CEST by Christina Scheinig
Modified: 2021-10-25 14:20 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021101121000301
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2021-10-20 11:43:11 CEST
If the certificate has always the same name (veyon-cert.pem) on the school slave, and the certificate is stored in the sysvol directory, it is overwritten by a newer slave installations certificate.

Afaik the default of sysvol replication is to replicate to all slaves and back to master.

The school manual says to use the certificate from sysvol.

With italk, the certificate was individualized:
-r--r--r--  1 root          root            590 Mär 31  2021 italc-key.pub
lrwxrwxrwx  1 root          root             13 Mär 31  2021 italc-key.pub.key.txt -> italc-key.pub
-r--r--r--  1 root          root            590 Mär 31  2021 italc-key_slave-02.pub
lrwxrwxrwx  1 root          root             22 Mär 31  2021 italc-key_slave-02.pub.key.txt -> italc-key_slave-02.pub
-rw-r--r--  1 root          root            800 Apr 27 17:03 veyon-cert.pem
Comment 1 Christina Scheinig univentionstaff 2021-10-21 09:42:42 CEST
The impact is, that veyon is not usable. You may install the certificate from the netlogon path, but this seems not to be the solution or workaround for all environments, if the netlogon is linked to the sysvol (ucrv samba/share/netlogon/path)
Comment 2 Daniel Tröder univentionstaff 2021-10-21 17:23:21 CEST
Fixed in:

[4.4 888cd24ee] Bug #53963: add hostname to veyon certificate file name
[4.4 e7ac4a9d6] Bug #53963: advisory update

ucs-school-veyon-windows (

[5.0 dc946f6aa] Bug #53963: add hostname to veyon certificate file name

ucs-school-veyon-windows (


The raised join script version will result in new certificate files.

ls -1 /var/lib/samba/sysvol/uni.dtr/scripts/veyon* /var/lib/samba/netlogon/veyon/veyon-cert*


After update (and u..-run-join-s..):

# ls -1 /var/lib/samba/sysvol/uni.dtr/scripts/veyon* /var/lib/samba/netlogon/veyon/veyon-cert*

Comment 4 Ole Schwiegert univentionstaff 2021-10-25 10:01:25 CEST
Looks good to me in 4.4 and 5.0

Old cert still exists
New certs are created
Comment 5 Tobias Wenzel univentionstaff 2021-10-25 14:20:25 CEST
Errata updates for UCS@school 4.4 v9 have been released.


If this error occurs again, please clone this bug.