Univention Bugzilla – Bug 54932
/etc/cron.daily/univention-ssl exited with return code 2
Last modified: 2022-07-28 09:11:33 CEST
This seems to be a regression. After Updating univention-ssl to Version 14.0.2-3A~5.0.0.202206071244, every night-job creates a E-Mail with the following content: <CONTENT> "run-parts: /etc/cron.daily/univention-ssl exited with return code 2" </CONTENT> Additional Environment Informations: ~# univention-app info UCS: 5.0-1 errata342 ~# apt info univention-ssl Package: univention-ssl Version: 14.0.2-3A~5.0.0.202206071244 Priority: optional Section: univention Maintainer: Univention GmbH <packages@univention.de> Installed-Size: 96,3 kB Depends: openssl, python3-m2crypto, python3-univention-lib, shell-univention-lib (>= 3.0.1-1), univention-directory-listener, univention-ssh, univention-config (>= 7.0.25) Recommends: rdate Download-Size: 23,0 kB APT-Manual-Installed: no APT-Sources: https://updates.software-univention.de errata501/main amd64 Packages ~# sh /etc/cron.daily/univention-ssl || echo "$?" 2 ~# bash /etc/cron.daily/univention-ssl && echo "$?" 0 +++ This bug was initially created as a clone of Bug #47896 +++ Users report about an error level from univention-ssl. Doing some investigation I got the following debug output: + . /usr/share/univention-lib/ucr.sh + is_ucr_false ssl/validity/check + local value + /usr/sbin/univention-config-registry get ssl/validity/check + value=yes + tr [:upper:] [:lower:] + echo -n yes + return 1 + univention-certificate-check-validity + check_gen_crl + local interval crl=/etc/univention/ssl/ucsCA/crl/crl.pem + ucr get server/role + [ domaincontroller_master = domaincontroller_master ] + ucr get ssl/crl/interval + interval=7 + [ 7 -ge 1 ] + [ -f /etc/univention/ssl/ucsCA/crl/crl.pem ] + find /etc/univention/ssl/ucsCA/crl/crl.pem -mtime -7 + [ -n ] + . /usr/share/univention-ssl/make-certificates.sh + SSLBASE=/etc/univention/ssl + CA=ucsCA + /usr/sbin/univention-config-registry get ssl/crl/validity + DEFAULT_CRL_DAYS=10 + : 10 + /usr/sbin/univention-config-registry get ssl/default/days + DEFAULT_DAYS=1825 + : 1825 + /usr/sbin/univention-config-registry get ssl/default/hashfunction + DEFAULT_MD=sha256 + : sha256 + /usr/sbin/univention-config-registry get ssl/default/bits + DEFAULT_BITS=2048 + : 2048 + export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS + test -e /etc/univention/ssl/password + cat /etc/univention/ssl/password + PASSWD=M7NBxxxxx2tZ0aprRdJ3 /etc/cron.daily/univention-ssl: 438: /usr/share/univention-ssl/make-certificates.sh: Syntax error: redirection unexpected
I'm facing the same issue since a couple of weeks but on UCS 4.4. univention-app info: univention-app infoUCS: 4.4-9 errata1272 Installed: adconnector=12.0 fetchmail=6.3.26 kde=5.8 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 letsencrypt=1.2.2-20 samba-memberserver=4.7 z-push-kopano=2.6.2-1 Upgradable:
same here: univention-app info UCS: 5.0-2 errata352 Installed: letsencrypt=2.0.0-2 samba4=4.16 Upgradable:
Fix for both 4.4-9 and 5.0-x: sudo sed -e '1s,/bin/sh,/bin/bash,' -i /etc/cron.daily/univention-ssl The source of that file is git:base/univention-ssl/debian/univention-ssl.cron.daily
Fixing it for 4.4-9 first as there are currently other changes pending for 5.0-2 [4.4-9] c57c5eeb83 Bug #54932: univention-ssl 13.0.0-9A~4.4.0.202207181119 doc/errata/staging/univention-ssl.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) [4.4-9] 727e382085 test[ssl]: shellcheck base/univention-ssl/debian/univention-ssl.cron.daily | 7 ++++++- base/univention-ssl/debian/univention-ssl.postinst | 9 ++++++--- base/univention-ssl/extensions-example.sh | 4 +++- base/univention-ssl/make-certificates.sh | 11 ++++++++--- base/univention-ssl/ssl-sync | 5 ++--- base/univention-ssl/tests/common.sh | 26 ++++++++++++++++++++++---- base/univention-ssl/tests/test_defaults | 3 ++- base/univention-ssl/tests/test_host_expired | 7 ++++--- base/univention-ssl/tests/test_host_fqdn | 7 ++++--- base/univention-ssl/tests/test_host_hook | 3 ++- ... 23 files changed, 128 insertions(+), 62 deletions(-) [4.4-9] a661c72fbb fix[ssl]: Source make-certificates.sh with bash base/univention-ssl/debian/changelog | 6 ++++++ base/univention-ssl/debian/univention-ssl.cron.daily | 2 +- doc/errata/staging/univention-ssl.yaml | 10 ++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) Package: univention-ssl Version: 13.0.0-9A~4.4.0.202207181119 Branch: ucs_4.4-0 Scope: errata4.4-9 QA: done already by tests/ run during package build - now fixed OK: apt install -t apt univention-ssl OK: touch -d @0 /etc/univention/ssl/ucsCA/crl/crl.pem && /etc/cron.daily/univention-ssl && ls -l /etc/univention/ssl/ucsCA/crl/crl.pem
another customer facing that issue. Attached ticketnumber
https://git.knut.univention.de/univention/ucs/-/issues/1222
1. created clean 4.4.9 (K)VM instance 2. licensed & system updated 3. download & install: libfaketime and faketime deb packages from Stretch 4. cloned 4.4.9 and univention-ssl package built & installed 5. make sure appropriate version is present: dpkg -s univention-ssl | grep '13.0.0-9A~4.4.0.202207181119' 6. check build output for test results 7. just for the sake of sanity, some basic certification management done manually (list, renew, dump, etc.) 8. tried manually to call: /etc/cron.daily/univention-ssl && echo "$?"
<https://errata.software-univention.de/#/?erratum=4.4x1277>