Bug 46203

Summary:	Wrong permissions after renewing the ssl certificates
Product:	UCS	Reporter:	Christina Scheinig <scheinig>
Component:	SSL	Assignee:	Jürn Brodersen <brodersen>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	normal
Priority:	P5	CC:	brodersen, gohmann, grandjean, requate
Version:	UCS 4.2
Target Milestone:	UCS 4.3-0-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Bug Report	What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	4: Will affect most installed domains	How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.343	Enterprise Customer affected?:
School Customer affected?:	Yes	ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:	2018012221000563	Bug group (optional):
Max CVSS v3 score:

Description Christina Scheinig

2018-01-31 14:07:06 CET

New generated computer certificates as described in 

https://help.univention.com/t/renewing-the-ssl-certificates/37
_________________________________________________________________________________
eval "$(ucr shell)"
cd  /etc/univention/ssl
for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done 
_________________________________________________________________________________

do not have set the right file permissions for the 'DC Backup Hosts' group.
Before renewing the certificates the permission was set to 
-rw-r----- backup$ DC Backup Hosts

after renewing the certificates the permission is set to 
-rw------- backup$ DC Backup Hosts

The backup server could not copy the certificate via cronjob.

This causes a lot of trouble if a backup2master was done twice.

Comment 1 Michael Grandjean

2018-02-07 11:28:08 CET

Basically, renewing certificates breaks the "ssl-sync". This invalidates a main feature of the UCS Backup role (having a copy of the SSL-PKI) that is essential for (but not limited to) the backup2master process.

Comment 2 Jürn Brodersen

2018-03-22 12:36:46 CET

[4.3-0 94b8d38496] Bug #46203: Fix file permissions after certificate renewal
[4.3-0 5985c9de5c] Bug #46203: YAML

Comment 3 Jürn Brodersen

2018-04-17 16:06:57 CEST

[4.3-0 c1d637d321] Bug #46203: Fix stderr redirect
[4.3-0 015255317f] Bug #46203: YAML


Package: univention-ssl
Version: 12.0.0-6A~4.3.0.201804171604
Branch: ucs_4.3-0
Scope: errata4.3-0

Comment 4 Arvid Requate

2018-04-18 18:56:21 CEST

Ok.

Comment 5 Quality Assurance

2018-05-04 16:42:59 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-ssl_12.0.0-1A~4.3.0.201712120222.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/univention-ssl_12.0.0-7A~4.3.0.201805022244.dsc
@@ -1,6 +1,30 @@
-12.0.0-1A~4.3.0.201712120222 [Tue, 12 Dec 2017 02:22:07 +0100] Univention builddaemon <buildd@univention.de>:
+12.0.0-7A~4.3.0.201805022244 [Wed, 02 May 2018 22:44:47 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+12.0.0-7 [Wed, 02 May 2018 16:57:50 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-6 [Tue, 17 Apr 2018 16:01:34 +0200] Jürn Brodersen <brodersen@univention.de>:
+
+  * Bug #46203: Fix stderr redirect
+
+12.0.0-5 [Wed, 11 Apr 2018 17:13:25 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-4 [Wed, 11 Apr 2018 17:07:30 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-3 [Wed, 11 Apr 2018 17:02:58 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-2 [Thu, 22 Mar 2018 12:17:10 +0100] Jürn Brodersen <brodersen@univention.de>:
+
+  * Bug #46203: Fix file permissions after certificate renewal
 
 12.0.0-1 [Mon, 11 Dec 2017 14:40:48 +0100] Jürn Brodersen <brodersen@univention.de>:

Comment 6 Arvid Requate

2018-05-09 14:21:11 CEST

<http://errata.software-univention.de/ucs/4.3/33.html>