Univention Bugzilla – Bug 55411
CA certificate validity is shown as expired in nagios check if expiration date is above 2049
Last modified: 2022-11-18 10:48:04 CET
ucr get ssl/default/days 1825 The customer set this ucr V to 28105 With this new created CA the ucr V ssl/validity/root is not updated. With some debug in /usr/sbin/univention-certificate-check-validity we get -------------------------------------------------------------------- Dec 1 12:29:10 2025 GMT M2Crypto cannot handle dates after year 2050. See RFC 5280 4.1.2.5 for more information. None -------------------------------------------------------------------- This ĺooks not as a big deal, but using nagios and the certificate check /usr/lib/nagios/plugins/check_univention_ssl_certificate will show a wrong expiration date and not the updated one. → Certificate is fine, but ssl/validity/root is not 4.1.2.5. Validity The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter). Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime. ---8<-----
univention-certificate renew -name "$(hostname -f)" -days 28105 univention-certificate-check-validity ucr get ssl/validity/root # 20958 # UCS 4.4-9: python2.7 -c 'import sys;from M2Crypto import X509;print(X509.load_cert(sys.argv[1]).get_not_after())' /etc/univention/ssl/m34.phahn.dev/cert.pem # M2Crypto.X509.X509Error: M2Crypto cannot handle dates after year 2050. # See RFC 5280 4.1.2.5 for more information. # UCS 5.0-2: openssl x509 -noout -dates -in /etc/univention/ssl/m38.phahn.dev/cert.pem # notBefore=Nov 10 15:42:50 2022 GMT # notAfter=Oct 22 15:42:50 2099 GMT python3 -c 'import sys;from M2Crypto import X509;print(X509.load_cert(sys.argv[1]).get_not_after())' /etc/univention/ssl/m38.phahn.dev/cert.pem # Bad time value python2.7 -c 'import sys;from M2Crypto import X509;print(X509.load_cert(sys.argv[1]).get_not_after())' /etc/univention/ssl/m38.phahn.dev/cert.pem # Bad time value https://gitlab.com/m2crypto/m2crypto/-/issues/103 https://gitlab.com/m2crypto/m2crypto/-/merge_requests/102 Should be fixed in m2crypto-0.26.0 - 2017-03-21 and available in UCS-5.0+: https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/m2crypto/ The bug is filed against 5.0. Are you sure the customer is not still with 4.4? PS: m2crypto seems to have a nasty bug: python3 -c 'import sys;from M2Crypto import X509;print(X509.load_cert(sys.argv[1]).get_not_after())' /etc/univention/ssl/$(hostname -f)/cert.pem # Bad time value python3 -c 'import sys;from M2Crypto import X509;c=X509.load_cert(sys.argv[1]);print(c.get_not_after())' /etc/univention/ssl/$(hostname -f)/cert.pem # Oct 22 15:42:50 2099 GMT
Sorry, my bad, the customer is still on 4.4.
(In reply to Philipp Hahn from comment #1) > PS: m2crypto seems to have a nasty bug: > python3 -c 'import sys;from M2Crypto impor X509;print(X509.load_cert(sys.argv[1]).get_not_after())' /etc/univention/ssl/$(hostname -f)/cert.pem > # Bad time value > python3 -c 'import sys;from M2Crypto import X509;c=X509.load_cert(sys.argv[1]);print(c.get_not_after())' /etc/univention/ssl/$(hostname -f)/cert.pem > # Oct 22 15:42:50 2099 GMT For this I have filed https://gitlab.com/m2crypto/m2crypto/-/issues/325