Univention Bugzilla – Full Text Bug Listing |
Summary: | block update to 4.1-0 if ssl/default/hashfunction=md5 | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | SSL | Assignee: | UCS maintainers <ucs-maintainers> |
Status: | RESOLVED WONTFIX | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | best, damrose, edv, gohmann, hahn |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-x | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=40658 http://forge.univention.org/bugzilla/show_bug.cgi?id=46133 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.114 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016012721000469 | Bug group (optional): | External feedback |
Max CVSS v3 score: |
Description
Felix Botner
2015-11-10 11:27:21 CET
Also happened in Ticket#2016012721000469. To change the hashing function in /etc/univention/ssl/openssl.cnf: # cd /etc/univention/ssl/ # eval "$(ucr shell)" # . /usr/share/univention-ssl/make-certificates.sh # mk_config openssl.cnf "$(cat password)" "$ssl_default_days" "$ssl_common" UCS-4.1 is out-of-maintenance, but UCS-3.3 is still maintained, so they will get this problem when finally upgrading to UCS-4.x If anyone stumbles over this (like me) while running join scripts and is stoping on RUNNING 92univention-management-console-web-server.inst with: GnuTLS: The signature algorithm is not supported. Es ist nicht möglich, eine SSL-Verbindung herzustellen. here a "workaround" solution till you defnitly need to renew all your certificates like described here: https://help.univention.com/t/renewing-the-ssl-certificates/37 First you should set ssl/default/hashfunction to sha256 as suggestet in inital post (otherwise Update to 4.3 will do this (Point 6.3) http://docs.software-univention.de/release-notes-4.3-0-en.html). Then: eval "$(ucr shell)" eval "$(ucr shell domainname)" cd /etc/univention/ssl verify in openssl.cnf that the algorithm is set to default_md = sha256 then run univention-certificate renew -name ucs-sso.${domainname} -days 365 to renew only the sso cert and then cp "/etc/univention/ssl/ucs-sso.${domainname}/cert.pem" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.crt" cp "/etc/univention/ssl/ucs-sso.${domainname}/private.key" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.key" service univention-saml restart finally univention-run-join-scripts should run through with no errors. This worked for me. If you have already Service Providers connected of course you need to renew them to, see cert renewal link above. This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you. |