Bug 40229

Summary: SAML certificate renewal
Product: UCS Reporter: Florian Best <best>
Component: SAMLAssignee: UCS maintainers <ucs-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: damrose, gulden, klaeser, m.bunkus
Version: UCS 4.1   
Target Milestone: UCS 4.1-x   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=40738
https://forge.univention.org/bugzilla/show_bug.cgi?id=45515
What kind of report is it?: Bug Report What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): External feedback, SAML, Troubleshooting
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 40269    

Description Florian Best univentionstaff 2015-12-11 16:02:41 CET 
If a new (root CA) certificate is generated via the UMC module manual steps are required to make SAML working again:
* some joinscripts need to be reexecuted.

We should outsource the needed commands into some scripts so that it's not required to force-reexecute the joinscripts but just simply call the scripts.

As this is currently nowhere documented customers will probably run into problems when their certificates are getting renewed. We should prevent this and try to automatically do the required steps (e.g. in the SSL system-setup script?).
Comment 1 Moritz Bunkus 2015-12-14 09:51:11 CET 
As can be see in http://forum.univention.de/viewtopic.php?t=4649 running the join script is not enough as the join script only generates the certificate if it's missing from the file system.

In the case of re-generating it the file is present and won't be created by the join script.
Comment 2 Alexander Kläser univentionstaff 2015-12-14 14:53:51 CET 
(In reply to Florian Best from comment #0)
> If a new (root CA) certificate is generated via the UMC module manual steps
> are required to make SAML working again:
> * some joinscripts need to be reexecuted.
> 
> We should outsource the needed commands into some scripts so that it's not
> required to force-reexecute the joinscripts but just simply call the scripts.
> 
> As this is currently nowhere documented customers will probably run into
> problems when their certificates are getting renewed. We should prevent this
> and try to automatically do the required steps (e.g. in the SSL system-setup
> script?).

IMHO,this should be done automatically via /usr/lib/univention-system-setup/scripts/40_ssl/10ssl.
Comment 3 Florian Best univentionstaff 2015-12-16 15:56:46 CET 
(In reply to Alexander Kläser from comment #2)
> IMHO,this should be done automatically via
> /usr/lib/univention-system-setup/scripts/40_ssl/10ssl.
It cannot be done there. It needs to be done on each host. As the hosts have the old certificates we also cannot connect to them.
Comment 4 Alexander Kläser univentionstaff 2015-12-16 16:53:44 CET 
(In reply to Florian Best from comment #3)
> It cannot be done there. It needs to be done on each host. As the hosts have
> the old certificates we also cannot connect to them.

Could it be done then in a separate setup script?
Comment 5 Florian Best univentionstaff 2015-12-16 16:54:29 CET 
(In reply to Alexander Kläser from comment #4)
> Could it be done then in a separate setup script?
It still needs to be done on every host and not only on the DC master.
Comment 6 Florian Best univentionstaff 2016-02-19 11:11:28 CET 
We need to add the execution of the following scripts for every system where UMC is installed:

/usr/lib/univention-uninstall/09univention-management-console-web-server.uinst
/usr/lib/univention-install/92univention-management-console-web-server.inst

These scripts exists since Bug #40738 (not released yet).
Comment 7 Florian Best univentionstaff 2016-02-19 11:51:53 CET 
With the following commands I could successfully login on a DC Master via SAML after regenerating the root-CA-certificate.

eval "$(ucr shell)"
rm -rf "${saml_idp_certificate_certificate}" "${saml_idp_certificate_privatekey}" /etc/univention/ssl/ucs-sso*
ucr unset saml/idp/certificate/privatekey saml/idp/certificate/certificate
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
invoke-rc.d apache2 restart
/usr/sbin/univention-directory-listener-ctrl resync univention-saml-simplesamlphp-configuration
Comment 8 Erik Damrose univentionstaff 2016-02-24 10:46:08 CET 
The required steps to renew the saml settings should be documented, see http://sdb.univention.de/1183
Comment 9 Nico Gulden univentionstaff 2017-10-11 14:32:31 CEST 
Referred to in Univention Help: https://help.univention.com/t/wrong-ca-certificate-with-new-install/7018
Comment 10 Stefan Gohmann univentionstaff 2019-01-03 07:23:30 CET 
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.