Bug 54932 - /etc/cron.daily/univention-ssl exited with return code 2
/etc/cron.daily/univention-ssl exited with return code 2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 4.4-9-errata
Assigned To: Philipp Hahn
UCS maintainers
https://help.univention.com/t/openvpn...
:
Depends on: 47896
Blocks: 55030
  Show dependency treegraph
 
Reported: 2022-07-04 16:36 CEST by Daniel Duchon
Modified: 2022-07-28 09:11 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022070421000275, 2022070521000335
Bug group (optional): bitesize, External feedback
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Duchon univentionstaff 2022-07-04 16:36:04 CEST
This seems to be a regression.

After Updating  univention-ssl to Version 14.0.2-3A~5.0.0.202206071244, every night-job creates a E-Mail with the following content:

<CONTENT>

"run-parts: /etc/cron.daily/univention-ssl exited with return code 2"

</CONTENT>


Additional Environment Informations:

~# univention-app info
UCS: 5.0-1 errata342

~# apt info univention-ssl
Package: univention-ssl
Version: 14.0.2-3A~5.0.0.202206071244
Priority: optional
Section: univention
Maintainer: Univention GmbH <packages@univention.de>
Installed-Size: 96,3 kB
Depends: openssl, python3-m2crypto, python3-univention-lib, shell-univention-lib (>= 3.0.1-1), univention-directory-listener, univention-ssh, univention-config (>= 7.0.25)
Recommends: rdate
Download-Size: 23,0 kB
APT-Manual-Installed: no
APT-Sources: https://updates.software-univention.de errata501/main amd64 Packages


~# sh /etc/cron.daily/univention-ssl || echo "$?"
2
~# bash /etc/cron.daily/univention-ssl && echo "$?"
0





+++ This bug was initially created as a clone of Bug #47896 +++

Users report about an error level from univention-ssl.

Doing some investigation I got the following debug output:

+ . /usr/share/univention-lib/ucr.sh
+ is_ucr_false ssl/validity/check
+ local value
+ /usr/sbin/univention-config-registry get ssl/validity/check
+ value=yes
+ tr [:upper:] [:lower:]
+ echo -n yes
+ return 1
+ univention-certificate-check-validity
+ check_gen_crl
+ local interval crl=/etc/univention/ssl/ucsCA/crl/crl.pem
+ ucr get server/role
+ [ domaincontroller_master = domaincontroller_master ]
+ ucr get ssl/crl/interval
+ interval=7
+ [ 7 -ge 1 ]
+ [ -f /etc/univention/ssl/ucsCA/crl/crl.pem ]
+ find /etc/univention/ssl/ucsCA/crl/crl.pem -mtime -7
+ [ -n  ]
+ . /usr/share/univention-ssl/make-certificates.sh
+ SSLBASE=/etc/univention/ssl
+ CA=ucsCA
+ /usr/sbin/univention-config-registry get ssl/crl/validity
+ DEFAULT_CRL_DAYS=10
+ : 10
+ /usr/sbin/univention-config-registry get ssl/default/days
+ DEFAULT_DAYS=1825
+ : 1825
+ /usr/sbin/univention-config-registry get ssl/default/hashfunction
+ DEFAULT_MD=sha256
+ : sha256
+ /usr/sbin/univention-config-registry get ssl/default/bits
+ DEFAULT_BITS=2048
+ : 2048
+ export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS
+ test -e /etc/univention/ssl/password
+ cat /etc/univention/ssl/password
+ PASSWD=M7NBxxxxx2tZ0aprRdJ3
/etc/cron.daily/univention-ssl: 438: /usr/share/univention-ssl/make-certificates.sh: Syntax error: redirection unexpected
Comment 1 Thomas 2022-07-18 09:50:21 CEST
I'm facing the same issue since a couple of weeks but on UCS 4.4.

univention-app info:

univention-app infoUCS: 4.4-9 errata1272
Installed: adconnector=12.0 fetchmail=6.3.26 kde=5.8 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 letsencrypt=1.2.2-20 samba-memberserver=4.7 z-push-kopano=2.6.2-1
Upgradable:
Comment 2 riess82 2022-07-18 09:59:22 CEST
same here:
univention-app info
UCS: 5.0-2 errata352
Installed: letsencrypt=2.0.0-2 samba4=4.16
Upgradable:
Comment 3 Philipp Hahn univentionstaff 2022-07-18 10:29:17 CEST
Fix for both 4.4-9 and 5.0-x:
  sudo sed -e '1s,/bin/sh,/bin/bash,' -i /etc/cron.daily/univention-ssl

The source of that file is git:base/univention-ssl/debian/univention-ssl.cron.daily
Comment 4 Philipp Hahn univentionstaff 2022-07-18 11:30:16 CEST
Fixing it for 4.4-9 first as there are currently other changes pending for 5.0-2

[4.4-9] c57c5eeb83 Bug #54932: univention-ssl 13.0.0-9A~4.4.0.202207181119
 doc/errata/staging/univention-ssl.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[4.4-9] 727e382085 test[ssl]: shellcheck
 base/univention-ssl/debian/univention-ssl.cron.daily |  7 ++++++-
 base/univention-ssl/debian/univention-ssl.postinst   |  9 ++++++---
 base/univention-ssl/extensions-example.sh            |  4 +++-
 base/univention-ssl/make-certificates.sh             | 11 ++++++++---
 base/univention-ssl/ssl-sync                         |  5 ++---
 base/univention-ssl/tests/common.sh                  | 26 ++++++++++++++++++++++----
 base/univention-ssl/tests/test_defaults              |  3 ++-
 base/univention-ssl/tests/test_host_expired          |  7 ++++---
 base/univention-ssl/tests/test_host_fqdn             |  7 ++++---
 base/univention-ssl/tests/test_host_hook             |  3 ++-
 ...
 23 files changed, 128 insertions(+), 62 deletions(-)

[4.4-9] a661c72fbb fix[ssl]: Source make-certificates.sh with bash
 base/univention-ssl/debian/changelog                 |  6 ++++++
 base/univention-ssl/debian/univention-ssl.cron.daily |  2 +-
 doc/errata/staging/univention-ssl.yaml               | 10 ++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

Package: univention-ssl
Version: 13.0.0-9A~4.4.0.202207181119
Branch: ucs_4.4-0
Scope: errata4.4-9

QA: done already by tests/ run during package build - now fixed
OK: apt install -t apt univention-ssl
OK: touch -d @0 /etc/univention/ssl/ucsCA/crl/crl.pem && /etc/cron.daily/univention-ssl && ls -l /etc/univention/ssl/ucsCA/crl/crl.pem
Comment 5 Dirk Schnick univentionstaff 2022-07-20 16:04:09 CEST
another customer facing that issue. Attached ticketnumber
Comment 7 Nikola Radovanovic univentionstaff 2022-07-20 20:20:29 CEST
1. created clean 4.4.9 (K)VM instance
2. licensed & system updated
3. download & install: libfaketime and faketime deb packages from Stretch
4. cloned 4.4.9 and univention-ssl package built & installed
5. make sure appropriate version is present:
     dpkg -s univention-ssl | grep '13.0.0-9A~4.4.0.202207181119'
6. check build output for test results
7. just for the sake of sanity, some basic certification management done manually (list, renew, dump, etc.)
8. tried manually to call:
     /etc/cron.daily/univention-ssl && echo "$?"