Univention Bugzilla – Full Text Bug Listing |
Summary: | Wrong permissions after renewing complete certificate chain | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | SSL | Assignee: | Janek Walkenhorst <walkenhorst> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, grandjean, jmm, markus.daehlmann |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 34080, 34081, 37520 |
Description
Sönke Schwardt-Krummrich
2013-07-10 10:46:15 CEST
Any log messages or tracebacks in the listener.log? Reported again: Ticket #2013121121001955 I've re-checked it and the DC Backup Hosts is missing for the CA. root@master201:~# ls -la /etc/univention/ssl/ucsCA/ insgesamt 56 drwxr-xr-x 6 root root 4096 18. Dez 07:36 . drwxr-xr-x 5 root root 4096 18. Dez 07:36 .. -rw-r--r-- 1 root root 1883 18. Dez 07:36 CAcert.pem -rw------- 1 root root 3570 18. Dez 07:36 CAreq.pem drwx------ 2 root root 4096 18. Dez 07:36 certs drwx------ 2 root root 4096 18. Dez 07:36 crl -rw-r--r-- 1 root root 293 18. Dez 07:36 index.txt -rw-r--r-- 1 root root 21 18. Dez 07:36 index.txt.attr -rw-r--r-- 1 root root 21 18. Dez 07:36 index.txt.attr.old -rw-r--r-- 1 root root 146 18. Dez 07:36 index.txt.old drwx------ 2 root root 4096 18. Dez 07:36 newcerts drwx------ 2 root root 4096 18. Dez 07:36 private -rw-r--r-- 1 root root 3 18. Dez 07:36 serial -rw-r--r-- 1 root root 3 18. Dez 07:36 serial.old root@master201:~# ls -la /etc/univention/ssl.orig/ucsCA/ insgesamt 56 drwxrwxr-x 6 root DC Backup Hosts 4096 30. Nov 18:08 . drwxr-xr-x 5 root DC Backup Hosts 4096 30. Nov 18:08 .. -rw-r--r-- 1 root DC Slave Hosts 2053 30. Nov 17:18 CAcert.pem -rw-rw---- 1 root DC Backup Hosts 3669 30. Nov 17:18 CAreq.pem drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 18:08 certs drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 17:18 crl -rw-r--r-- 1 root nogroup 291 30. Nov 18:08 index.txt -rw-r--r-- 1 root nogroup 21 30. Nov 18:08 index.txt.attr -rw-rw-r-- 1 root DC Backup Hosts 21 30. Nov 17:18 index.txt.attr.old -rw-rw-r-- 1 root DC Backup Hosts 145 30. Nov 17:18 index.txt.old drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 18:08 newcerts drwxrwx--- 2 root DC Backup Hosts 4096 30. Nov 17:18 private -rw-r--r-- 1 root nogroup 3 30. Nov 18:08 serial -rw-rw-r-- 1 root DC Backup Hosts 3 30. Nov 17:18 serial.old root@master201:~# root@master201:~# ls -la /etc/univention/ssl/ insgesamt 28 drwxr-xr-x 5 root root 4096 18. Dez 07:36 . drwxr-xr-x 13 root root 4096 18. Dez 07:36 .. lrwxrwxrwx 1 root root 46 18. Dez 07:36 master201 -> /etc/univention/ssl/master201.deadlock20.local drwxr-x--- 2 root DC Backup Hosts 4096 18. Dez 07:36 master201.deadlock20.local lrwxrwxrwx 1 root root 47 18. Dez 07:36 master201v -> /etc/univention/ssl/master201v.deadlock20.local drwxr-x--- 2 root DC Backup Hosts 4096 18. Dez 07:36 master201v.deadlock20.local -rw------- 1 root root 3331 18. Dez 07:36 openssl.cnf -rw------- 1 root root 20 18. Dez 07:36 password drwxr-xr-x 6 root root 4096 18. Dez 07:36 ucsCA root@master201:~# ls -la /etc/univention/ssl.orig/ insgesamt 28 drwxr-xr-x 5 root DC Backup Hosts 4096 30. Nov 18:08 . drwxr-xr-x 13 root root 4096 18. Dez 07:36 .. lrwxrwxrwx 1 root DC Backup Hosts 46 30. Nov 17:18 master201 -> /etc/univention/ssl/master201.deadlock20.local drwxr-x--- 2 master201$ DC Backup Hosts 4096 30. Nov 17:18 master201.deadlock20.local lrwxrwxrwx 1 root nogroup 47 30. Nov 18:08 master201v -> /etc/univention/ssl/master201v.deadlock20.local drwxr-x--- 2 master201v$ DC Backup Hosts 4096 30. Nov 18:08 master201v.deadlock20.local -rw-rw---- 1 root DC Backup Hosts 3373 30. Nov 17:18 openssl.cnf -rw-rw---- 1 root DC Backup Hosts 20 30. Nov 17:18 password drwxrwxr-x 6 root DC Backup Hosts 4096 30. Nov 18:08 ucsCA root@master201:~# *** Bug 32988 has been marked as a duplicate of this bug. *** (In reply to Stefan Gohmann from comment #3) > *** Bug 32988 has been marked as a duplicate of this bug. *** This report should be checked / fixed as well. (In reply to Sönke Schwardt-Krummrich from comment #0) > After renewing the complete SSL certificate chain, the listener module Following <http://sdb.univention.de/content/15/1/de/erneuern-der-ssl_zertifikate.html> leads to -rw-r--r-- 1 root root 2,1k 6. Feb 15:53 CAcert.pem instead of -rw-r--r-- 1 root DC Slave Hosts 2,1k 29. Nov 12:13 CAcert.pem . (In reply to Stefan Gohmann from comment #2) > Reported again: Ticket #2013121121001955 > I've re-checked it and the DC Backup Hosts is missing for the CA. Using the System-Setup UMC module leads to root:root for almost everything. (In reply to Stefan Gohmann from comment #4) > > *** Bug 32988 has been marked as a duplicate of this bug. *** > This report should be checked / fixed as well. Using univention-certificate new -name foo leads to drwxr-x--- 2 root DC Backup Hosts 4,1k 6. Feb 16:25 /etc/univention/ssl/foo -rw------- 1 root DC Backup Hosts 4,4k 6. Feb 16:25 […]/cert.pem -rw------- 1 root DC Backup Hosts 3,3k 6. Feb 16:25 […]/openssl.cnf -rw------- 1 root DC Backup Hosts 891 6. Feb 16:25 […]/private.key -rw------- 1 root DC Backup Hosts 802 6. Feb 16:25 […]/req.pem instead of drwxr-x--- 2 root DC Backup Hosts 4,1k 6. Feb 16:24 /etc/univention/ssl/bar/ -rw-r----- 1 root DC Backup Hosts 4,4k 6. Feb 16:24 […]/cert.pem -rw-r----- 1 root DC Backup Hosts 3,3k 6. Feb 16:24 […]/openssl.cnf -rw-r----- 1 root DC Backup Hosts 887 6. Feb 16:24 […]/private.key -rw-r----- 1 root DC Backup Hosts 802 6. Feb 16:24 […]/req.pem . (In reply to Janek Walkenhorst from comment #5) > Following > <http://sdb.univention.de/content/15/1/de/erneuern-der-ssl_zertifikate.html> This is due to a missing chown/chmod in the SDB article. > (In reply to Stefan Gohmann from comment #2) > Using the System-Setup UMC module leads to root:root for almost everything. This is because make-certificate.sh→init does not set the permissions. (During installation they are fixed by 20univention-join.inst) > Using > univention-certificate new -name foo This is due to <https://forge.univention.org/bugzilla/show_bug.cgi?id=26572#c2>. (In reply to Janek Walkenhorst from comment #6) > This is due to a missing chown/chmod in the SDB article. → Bug 34080 > This is because make-certificate.sh→init does not set the permissions. > (During installation they are fixed by 20univention-join.inst) > > This is due to > <https://forge.univention.org/bugzilla/show_bug.cgi?id=26572#c2>. Fixed with univention-ssl (8.0.0-4): The permissions are set to be like they are after installation. Advisory: 2014-02-07-univention-ssl.yaml OK: svn47687 OK: apt-get install univention-ssl=8.0.0-4.138.201402071620 OK: univention-certificate new -name foo OK: umask 0077 ; univention-certificate new -name bar OK: univention-certificate renew -name foo -days 365 OK(*): UMC Basis Settings Certificate Change OK: announce_errata -V 2014-02-07-univention-ssl.yaml (*): In one test case I had a /etc/univention/ssl/ directory missing the host certificate, which caused slapd, listener, notifier, apache2 to fail. It was caused by changing the SSL settings through UMC Basis Settings. See Bug #31941 for details |