Bug 55603 – 04_saml_certificate_check.py fails to check the correct certs

Bug 55603 - 04_saml_certificate_check.py fails to check the correct certs


Summary:	04_saml_certificate_check.py fails to check the correct certs

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - System diagnostic
Version:	UCS 5.0
Hardware:	Other All

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-01-27 11:58 CET by Ingo Jürgensmann
Modified:	2023-03-09 11:59 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.051
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ingo Jürgensmann

2023-01-27 11:58:15 CET

The changes/fixes of #49417 doesn't solve the issue. Several customer persist to have a critical warning in System Diagnostics, apparently because the diagnostic checks only works when SSO and portal domains are in line with actual UCS hostnames, but this is often not the case for customer environments. 

Here you often find internal domains that are not reachable from the outside, like ucs01.schule.${customer}.intranet. 
The often referenced HowTo at https://help.univention.com/t/reconfigure-ucs-single-sign-on/16161 mentions in "Scenario 1, Portal and Single Sign On at different FQDNs" that SSO and portal domains can be different and not bound to internal $FQHNs (hostname -f). 

For example a customer has configured the following: 
- SSO domain: sso.elearning.${customer}.de
- Portal domain: elearing.${customer}.de

When the setup has been for SAML SSO the system diagnostics didn't show any issue. Later, with an update (see #49417 and the later fix of this) the critical warning popped up and still persists as of today: 

Das SAML Identity Provider Zertifikat Modul "SAML Identity Provider" entspricht nicht dem lokalen Zertifikat '/etc/univention/ssl/ucs01.schule.${customer}.intranet/cert.pem'.
Falls Sie die Zertifikate erneuert haben bitte Univention Support Database - Erneuern der TLS/SSL-Zertifikate und Univention Support Database - Erneuern der ganzen TLS/SSL-Zertifikat-Kette für weitere Anweisungen beachten. In diesem Fall muss das Zertifikat neu in LDAP geladen werden.

All involved SSL certs are valid when checked manually. 

The problem (IMHO) lies in the diagnostic check itself, eg. in: 

    219 def test_service_provider_certificate() -> Iterator[Problem]:
    220         """
    221         Check that local certificate :file:`/etc/univention/ssl/$FQHN/cert.pem` matches the certificate in LDAP
    222         `(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$FQHN/univention/saml/metadata))`


Here the wrong FQHNs or variables are checked. Instead the SSL certs of the following UCRV should be used: 
- ucs/server/sso/fqdn : shows the SSO FQDN used during setup of SAML SSO
- umc/saml/sp-server : shows the FQDN of the portal server used during setup

As stated above, it is quite common in customer environments that there are internal and external domains being used and although SAML SSO is working fine, the critical warning in System Diagnostics shouldn't be shown in that case.