Univention Bugzilla – Full Text Bug Listing |
Summary: | update fails if Signature Algorithm for host certificate is md5WithRSAEncryption | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | General | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann |
Version: | UCS 4.3 | Keywords: | interim-2 |
Target Milestone: | UCS 4.3 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
http://forge.univention.org/bugzilla/show_bug.cgi?id=39849 http://forge.univention.org/bugzilla/show_bug.cgi?id=40498 |
||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Felix Botner
2018-01-24 15:51:54 CET
openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C = DE, ST = bre, L = bre, O = it, OU = edv, CN = Univention Corporate Server Root CA, emailAddress = ssl@old.test Validity Not Before: Jan 24 10:57:49 2018 GMT Not After : Oct 20 10:57:49 2020 GMT Subject: C = DE, ST = bre, L = bre, O = it, OU = edv, CN = Univention Corporate Server Root CA, emailAddress = ssl@old.test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:7e:3d:c5:5b:da:fb:f3:d2:d1:53:81:08:9d: c6:55:19:bc:90:db:f5:a8:72:4a:d2:25:bb:ee:b1: 01:79:7f:a1:34:99:43:e8:14:c2:7e:af:4a:e7:54: cc:1a:f5:41:2d:bb:f8:6c:00:12:3a:45:24:13:c5: 09:de:33:83:56:62:17:a8:c0:aa:42:09:d3:f5:7e: cc:00:e2:51:1a:2c:7d:91:f1:85:0b:64:e3:4f:e1: 6a:14:22:69:86:af:5b:73:2c:29:d8:67:61:e8:30: 94:62:dc:7c:2f:6f:a3:4a:4e:d4:a4:f6:98:42:09: 8e:c0:99:b9:dd:0a:18:07:10:7f:d7:74:0c:ae:98: 93:78:7f:48:76:c2:07:2e:bd:49:31:5b:50:71:d8: 5d:02:d6:ab:88:30:2e:a8:79:5f:1b:25:9b:82:4f: f9:01:f1:0a:42:0e:08:21:97:2e:9a:30:d8:d1:96: 20:53:ac:e6:05:23:8f:04:6e:99:61:14:50:c1:1e: 94:c8:fb:1c:39:25:10:bc:74:70:89:6f:e5:ad:df: f3:01:6d:ae:24:f4:3d:62:f9:4c:17:04:82:ec:f4: d0:7f:b1:2c:e0:b5:b5:00:ff:0e:e9:fa:f6:a1:7f: 41:1a:16:98:65:7c:9c:a1:37:55:f7:1b:b3:db:a5: ce:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: FB:9F:DB:61:02:DD:3B:0B:6E:3B:FD:04:B4:C0:D6:90:5F:86:69:56 X509v3 Authority Key Identifier: keyid:FB:9F:DB:61:02:DD:3B:0B:6E:3B:FD:04:B4:C0:D6:90:5F:86:69:56 DirName:/C=DE/ST=bre/L=bre/O=it/OU=edv/CN=Univention Corporate Server Root CA/emailAddress=ssl@old.test serial:00 X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Subject Alternative Name: email:ssl@old.test X509v3 Issuer Alternative Name: email:ssl@old.test Netscape Comment: This certificate is a Root CA Certificate Signature Algorithm: sha256WithRSAEncryption 50:ae:37:f3:30:d1:96:b0:a5:74:00:49:75:9d:af:6d:3c:77: 54:59:c0:bf:2a:10:b8:c6:fb:48:0f:c5:df:e7:ab:1a:7f:78: ae:3f:69:e1:d1:7f:ef:7c:aa:56:d2:aa:e9:fb:d2:e3:f5:a1: 55:ff:0c:18:f5:99:23:3e:f5:e4:78:1a:be:99:73:b3:e7:ee: 96:8e:e8:a3:4b:b7:2e:23:b7:31:b1:71:5b:60:25:51:02:de: 21:46:ad:d9:6f:0d:74:4c:6b:88:ca:26:25:dd:1f:b6:10:4e: e9:fb:7f:d2:3d:73:0f:7a:a4:d0:0c:51:ef:39:cf:aa:a2:92: ad:d3:27:e7:d8:89:72:1d:92:e4:2b:63:03:27:4f:14:b0:10: c5:47:84:31:a6:f4:34:cb:6d:ee:e5:6b:6a:e4:49:42:23:d4: 4e:82:30:60:a3:7a:a3:ed:98:27:d1:e5:ab:3f:34:4c:6e:a6: 88:90:c1:5a:53:c9:b6:a7:5a:9f:0a:da:8a:58:bb:f7:06:f9: b6:16:e0:c2:fc:d9:ba:6f:45:d4:32:00:aa:8b:76:26:d0:91: 27:e8:b9:ea:2c:e5:8b:32:a7:37:2b:83:7a:01:5d:f7:de:ab: 17:46:9d:12:22:a4:e9:9d:5e:b7:e4:9e:4e:da:57:bf:2b:b2: 73:a6:29:06 -----BEGIN CERTIFICATE----- this breaks the update tests http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/Update%20Tests/ ucr get ssl/default/hashfunction md5 so we have to check is the host certificate is md5, if so stop the update? I think we need a sdb article for this. In case someone is still using ssl/default/hashfunction=md5, openssl.cnf probably has the hashfunction still hardcoded as well. See bug 39849 and bug 40498. Also "ssl/default/hashfunction" doesn't seem to be documented anywhere? WIP: https://git.knut.univention.de/univention/ucs/commit/254563fe5275a270687cc9955c13c826b456e3ab openssl.cnf is updated in univention-ssl.postinst. In that case the existing article should be enough: https://help.univention.com/t/renewing-the-ssl-certificates/37 350a1bc3: check signature algorithm of the tls certificate in preup.sh 34c903df: Changelog I didn't add a ucr variable to ignore this error because the system would not be able start slapd.
preup.sh
> The signature algorithm used can be set with:"
> ucr set ssl/default/hashfunction=sha256"
on the UCS master, i think we should mention this
(In reply to Felix Botner from comment #7) > preup.sh > > The signature algorithm used can be set with:" > > ucr set ssl/default/hashfunction=sha256" > > on the UCS master, i think we should mention this 2c8f098a: improve error message in preup.sh and changelog (In reply to Jürn Brodersen from comment #8) > (In reply to Felix Botner from comment #7) > > preup.sh > > > The signature algorithm used can be set with:" > > > ucr set ssl/default/hashfunction=sha256" > > > > on the UCS master, i think we should mention this > > 2c8f098a: improve error message in preup.sh and changelog please check if cert_path exists before the openssl command (unjoined systems) 37549c1f: check if certificate exists OK - preup OK - changelog UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug". |