Univention Bugzilla – Full Text Bug Listing |
Summary: | /etc/cron.daily/univention-ssl exited with return code 2 | ||
---|---|---|---|
Product: | UCS | Reporter: | Christian Völker <voelker> |
Component: | SSL | Assignee: | Jannik Ahlers <ahlers> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | normal | ||
Priority: | P5 | CC: | ahlers, damrose, grandjean, hahn, office |
Version: | UCS 4.3 | Flags: | hahn:
Patch_Available+
|
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://help.univention.com/t/openvpn-crl-expired-no-client-access/9983 | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=48025 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 5: Will affect all installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.286 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | Yes | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Ticket#2018100221000851 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 54932, 55030 |
Description
Christian Völker
2018-10-02 09:40:30 CEST
make-certificates.sh uses a bash only feature in line 438: done <<< "$NUM" The cronjob runs with /bin/sh and sources the file, which causes the error. The problem is that the <<< redirection is supported only in bash, not in sh. The cronjob /etc/cron.daily/univention-ssl sources make-certificates.sh, which is written in bash (/bin/bash in hashbang), but the cronjob itself gets executed by sh. to solve this, we probably have to: * set '#! /bin/bash' in univention-ssl.cron.daily * set 'SHELL=/bin/bash' in /etc/crontab Please remove the BASHism and convert it back to a POSIX script: index 5f0f97e8ca..97a51f212c 100755 --- a/base/univention-ssl/make-certificates.sh +++ b/base/univention-ssl/make-certificates.sh @@ -422,7 +422,7 @@ renew_cert () { revoke_cert () { local fqdn="${1:?Missing argument: common name}" - local cn NUM + local cn NUM line [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" if ! NUM="$(has_cert "$cn")" @@ -431,11 +431,12 @@ revoke_cert () { return 2 fi - while read line; do + for line in $NUM # IFS + do if is_valid "$line"; then openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${line}.pem" -passin pass:"$PASSWD" fi - done <<< "$NUM" + done gencrl } https://help.univention.com/t/openvpn-crl-expired-no-client-access/9983 It seems to cause issues for the OpenVPN4ucs app as well I applied the patch from philipp. Also, some code cleanup has been done. univention-ssl (12.0.0-13) b1b87964227d | Bug #47896 SSL: Silence shellcheck ea281d12c3ea | Bug #47896 SSL: Remove useless `cat` a83fb1cca468 | Bug #47896 SSL: Check `cd` for success 9f4581956a93 | Bug #47896 SSL: Fix local assignments 5a78849be02e | Bug #47896 SSL: Remove unused variable 4dd78d8516c1 | Bug #47896 SSL: Add missing quoting 8effe22da1a0 | Bug #47896 SSL: Replace `` by "$()" 56919503a1e3 | Bug #47896 SSL: Remove BASHism <<< univention-ssl (12.0.0-14) d8969c4468f8 | Bug #47896: changelog univention-ssl.yaml 898ec142f845 | Bug #47896: YAML Successful build Package: univention-ssl Version: 12.0.0-14A~4.3.0.201810181319 Branch: ucs_4.3-0 Scope: errata4.3-2 OK: apt-get install univention-ssl=12.0.0-16A~4.3.0.201810301145 FIXED: errata-announce univention-ssl.yaml OK: univention-ssl.yaml OK: ./debian/rules override_dh_auto_test FIXED: sh /etc/cron.daily/univention-ssl [4.3-2] d834519495 Bug #47896 ssl: Show error output again base/univention-ssl/debian/changelog | 6 ++++++ base/univention-ssl/debian/univention-ssl.cron.daily | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) Package: univention-ssl Version: 12.0.0-16A~4.3.0.201810301145 Branch: ucs_4.3-0 Scope: errata4.3-2 [4.3-2] 694e243957 Bug #44469: univention-ssl 12.0.0-16A~4.3.0.201810301145 doc/errata/staging/univention-ssl.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) OK: /var/log/syslog OK: chmod -x /usr/sbin/univention-certificate-check-validity ; sh /etc/cron.daily/univention-ssl *** Bug 48025 has been marked as a duplicate of this bug. *** |