Univention Bugzilla – Bug 55603
04_saml_certificate_check.py fails to check the correct certs
Last modified: 2023-03-09 11:59:52 CET
The changes/fixes of #49417 doesn't solve the issue. Several customer persist to have a critical warning in System Diagnostics, apparently because the diagnostic checks only works when SSO and portal domains are in line with actual UCS hostnames, but this is often not the case for customer environments. Here you often find internal domains that are not reachable from the outside, like ucs01.schule.${customer}.intranet. The often referenced HowTo at https://help.univention.com/t/reconfigure-ucs-single-sign-on/16161 mentions in "Scenario 1, Portal and Single Sign On at different FQDNs" that SSO and portal domains can be different and not bound to internal $FQHNs (hostname -f). For example a customer has configured the following: - SSO domain: sso.elearning.${customer}.de - Portal domain: elearing.${customer}.de When the setup has been for SAML SSO the system diagnostics didn't show any issue. Later, with an update (see #49417 and the later fix of this) the critical warning popped up and still persists as of today: Das SAML Identity Provider Zertifikat Modul "SAML Identity Provider" entspricht nicht dem lokalen Zertifikat '/etc/univention/ssl/ucs01.schule.${customer}.intranet/cert.pem'. Falls Sie die Zertifikate erneuert haben bitte Univention Support Database - Erneuern der TLS/SSL-Zertifikate und Univention Support Database - Erneuern der ganzen TLS/SSL-Zertifikat-Kette für weitere Anweisungen beachten. In diesem Fall muss das Zertifikat neu in LDAP geladen werden. All involved SSL certs are valid when checked manually. The problem (IMHO) lies in the diagnostic check itself, eg. in: 219 def test_service_provider_certificate() -> Iterator[Problem]: 220 """ 221 Check that local certificate :file:`/etc/univention/ssl/$FQHN/cert.pem` matches the certificate in LDAP 222 `(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$FQHN/univention/saml/metadata))` Here the wrong FQHNs or variables are checked. Instead the SSL certs of the following UCRV should be used: - ucs/server/sso/fqdn : shows the SSO FQDN used during setup of SAML SSO - umc/saml/sp-server : shows the FQDN of the portal server used during setup As stated above, it is quite common in customer environments that there are internal and external domains being used and although SAML SSO is working fine, the critical warning in System Diagnostics shouldn't be shown in that case.