Bug 40228
| Summary: | Add diagnostic test for SSL certificates | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Florian Best <best> |
| Component: | UMC - System diagnostic | Assignee: | Lukas Oyen <oyen> |
| Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, oyen, requate |
| Version: | UCS 4.1 | Flags: | best:
Patch_Available+
|
| Target Milestone: | UCS 4.2-2-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=35862 https://forge.univention.org/bugzilla/show_bug.cgi?id=45702 |
||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Troubleshooting | |
| Max CVSS v3 score: | |||
| Attachments: | 40228-diagnostic-certificate-check-420.patch | ||
|
Description
Florian Best
Created attachment 8931 [details] 40228-diagnostic-certificate-check-420.patch The new attached `certificate_ckeck.py` checks SSL certificates. If this check runs on a DC master/backup, the local root-CA/CRL files are used. Otherwise the root certificate and CRL file are downloaded from the DC master. This checks the certificates in 'apache2/ssl/certificate', 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file exists). If a certificate is not yet valid or expired a Critical error is shown. If a certificate expires within the next 50 days (see bug 35862 comment 0) a Warning is shown. As the old version of `python-openssl` (0.14) does not yet support validation against CRLs, `openssl verify` is used. If `openssl verify` finds any error, a Critical error is shown. This does not trigger any checks on other servers in the domain, as that would require major changes within this diagnostic module. *** Bug 35862 has been marked as a duplicate of this bug. *** Committed in r81624 - r81625 (advisory r81649). I added a test case which runs every diagnostic check in our Jenkins environment on all server roles. ucs-test (7.0.23-19): r81667 | Bug #40228: add test case which runs every diagnostic check (In reply to Florian Best from comment #4) > I added a test case which runs every diagnostic check in our Jenkins > environment on all server roles. > > ucs-test (7.0.23-19): > r81667 | Bug #40228: add test case which runs every diagnostic check Can we have that snippet as the `main()` in /management/univention-management-console-module-diagnostic/umc/python/diagnostic/__init__.py instead of the dummy so we can actually run the modules from the command line? This would be a preliminary implementation, but better than what is currently available. (In reply to Lukas Oyen from comment #1) > This checks the certificates in 'apache2/ssl/certificate', > 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' and any > certificates marked `V` in '/etc/univention/ssl/ucsCA/index.txt' (if the file > exists). Are they all verified against the DC Master certificate? We have customer environments which are replacing 'apache2/ssl/certificate', 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some certificate signed by official CA's. These must pass the tests, too! (In reply to Florian Best from comment #6) > Are they all verified against the DC Master certificate? Yes, explicitly passed as `-CAfile`. > We have customer environments which are replacing 'apache2/ssl/certificate', > 'saml/idp/certificate/certificate', 'mail/postfix/ssl/certificate' with some > certificate signed by official CA's. These must pass the tests, too! Fixed in r81920. If a certificate is broken the following traceback is shown:
Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
result = execute(umc_module, **kwargs)
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 265, in run
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 239, in verify_local
def verify_local(all_certificates):
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 184, in verify
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/certificate_check.py", line 154, in _verify_timestamps
cert = crypto.load_certificate(crypto.FILETYPE_PEM, fob.read())
File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 1219, in load_certificate
_raise_current_error()
File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
raise exceptionType(errors)
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
(In reply to Florian Best from comment #8) > If a certificate is broken the following traceback is shown: Fixed in r81976. Okay, looks good. |