Univention Bugzilla – Bug 55576
univention-run-diagnostic-checks fails to run when SSL certs have issue
Last modified: 2023-05-16 12:39:12 CEST
In a U@S environment UMC reports issues with SSL and SAML certs, so I wanted to collect some more information via CLI, but univention-run-diagnostic-checks is not able to even fulfill univention-run-diagnostic-checks -l : root@ucs01:~# univention-run-diagnostic-checks --list Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 558, in send response = self.__request(request) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 590, in __request con.request(request.method, uri, request.get_body(), headers=request.headers) File "/usr/lib/python3.7/http/client.py", line 1260, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1306, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1255, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1030, in _send_output self.send(msg) File "/usr/lib/python3.7/http/client.py", line 970, in send self.connect() File "/usr/lib/python3.7/http/client.py", line 1423, in connect server_hostname=server_hostname) File "/usr/lib/python3.7/ssl.py", line 412, in wrap_socket session=session File "/usr/lib/python3.7/ssl.py", line 853, in _create self.do_handshake() File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ucs01.schule.<customer>.intranet'. (_ssl.c:1056) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/univention-run-diagnostic-checks", line 168, in <module> sys.exit(CLIClient.main()) File "/usr/bin/univention-run-diagnostic-checks", line 74, in main client = Client(None, args.username, args.password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 381, in __init__ self.authenticate(self.username, self.password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 395, in authenticate return self.umc_auth(username, password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 505, in umc_auth return self.request('POST', 'auth', data) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 535, in request return self.send(request) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 560, in send raise ConnectionError('Could not send request.', reason=exc) univention.lib.umc.ConnectionError: ('Could not send request.', SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ucs01.schule.<customer>.intranet'. (_ssl.c:1056)")) root@ucs01:~# Via web the checks do run and report some issues with the SSL certs. However, the same output should be expected via CLI, but univention-run-diagnostic-checks generates a traceback even when just listing the checks with -l as well as when -s is used, e.g. univention-run-diagnostic-checks -s 02_certificate_check 04_saml_certificate_check. Reason for the SSL cert issue seem to be that the internal domain ending with *.intranet in this example does not have an Apache virtual host entry, hence the hostname mismatch error, because the LetsEncrypt SSL cert for Apache apparently cannot include the local SSL cert.
Another possible reason for this might be a faulty SAN field that includes a "/" in DNS: entry: X509v3 Subject Alternative Name: DNS:ucs01.schule.<$domain>.intranet/, DNS:ucs01 However, the SSL cert seems to be quite old and was generated in 2021: Not Before: Feb 22 14:42:12 2021 GMT When SAML SSO was implemented in summer 2022 the check still worked and didn't show any errors. So it appears that between then and now has been changed like stricter checks in some parts of the software (which is good).
A customer has the same issue, when using a letsencrypt certificate root@server:/etc/univention/letsencrypt# univention-run-diagnostic-checks Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 573, in send response = self.__request(request) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 605, in __request con.request(request.method, uri, request.get_body(), headers=request.headers) File "/usr/lib/python3.7/http/client.py", line 1260, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1306, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1255, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1030, in _send_output self.send(msg) File "/usr/lib/python3.7/http/client.py", line 970, in send self.connect() File "/usr/lib/python3.7/http/client.py", line 1423, in connect server_hostname=server_hostname) File "/usr/lib/python3.7/ssl.py", line 412, in wrap_socket session=session File "/usr/lib/python3.7/ssl.py", line 853, in _create self.do_handshake() File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'server.schein.local'. (_ssl.c:1056 ) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/univention-run-diagnostic-checks", line 168, in <module> sys.exit(CLIClient.main()) File "/usr/bin/univention-run-diagnostic-checks", line 74, in main client = Client(None, args.username, args.password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 398, in __init__ self.authenticate(self.username, self.password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 412, in authenticate return self.umc_auth(username, password) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 520, in umc_auth return self.request('POST', 'auth', data) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 550, in request return self.send(request) File "/usr/lib/python3/dist-packages/univention/lib/umc.py", line 575, in send raise ConnectionError('Could not send request.', reason=exc) univention.lib.umc.ConnectionError: ('Could not send request.', SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'server.schein.local'. (_ssl.c:1056)")) --------------------- openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text Subject: CN = mail.schein4me.de X509v3 Subject Alternative Name: DNS:mail.schein4me.de --------------------- root@server:/etc/univention/letsencrypt# ucr search --brief certificate apache2/ssl/certificate: /etc/univention/letsencrypt/signed_chain.crt apache2/ssl/certificatechain: /etc/univention/letsencrypt/intermediate.pem apache2/vhosts/.*/ssl/certificate: <empty> apache2/vhosts/.*/ssl/certificatechain: <empty> mail/dovecot/ssl/certificate: /etc/univention/letsencrypt/signed_chain.crt mail/postfix/ssl/certificate: /etc/univention/letsencrypt/signed_chain.crt saml/apache2/ssl/certificate: <empty> saml/apache2/ssl/certificatechain: <empty> saml/idp/certificate/certificate: /etc/simplesamlphp/ucs-sso.schein.local-idp-certificate.crt saml/idp/certificate/privatekey: /etc/simplesamlphp/ucs-sso.schein.local-idp-certificate.key ucs/server/sso/certificate/download: true ucs/server/sso/certificate/generation: true