Bug 35027

Summary: UCS CA: univention-certificate doesn't lock index.txt
Product: UCS Reporter: Ingo Steuwer <steuwer>
Component: SSLAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Janek Walkenhorst <walkenhorst>
Severity: normal    
Priority: P5 CC: gohmann, hahn
Version: UCS 3.1   
Target Milestone: UCS 4.1-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Large environments
Max CVSS v3 score:

Description Ingo Steuwer univentionstaff 2014-06-02 08:24:25 CEST 
regenerating SSL certificates using "univention-certificate renew" with two concurrent processes failed due to a corrupt /etc/univention/ssl/ucsCA/index.txt.
Comment 1 Philipp Hahn univentionstaff 2016-06-23 14:23:00 CEST 
r70558 | Bug #24094 ssl: Allow univention-certificate only on DC Master (or Backup)
 man 1ssl openssl
 > WARNINGS
 > The ca command is effectively a single user command: no locking is done on the various files and attempts to run more than one ca command on the same database can have unpredictable results.
 Now uses flock($SSLBASE) for mutual exlusion

Package: univention-ssl
Version: 10.0.0-12.169.201606231402
Branch: ucs_4.1-0
Scope: errata4.1-2

r70580 | Bug #39045 ssl: YAML
 univention-ssl.yaml
Comment 2 Janek Walkenhorst univentionstaff 2016-07-12 19:02:36 CEST 
Code review: OK
Advisory: OK
Tests: OK
Comment 3 Janek Walkenhorst univentionstaff 2016-07-21 15:16:04 CEST 
<http://errata.software-univention.de/ucs/4.1/213.html>