Bug 47974
| Summary: | Failing /etc/ldap/dh_2048.pem renewal - LDAP server fails to start (after update to UCS-4.3) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Philipp Hahn <hahn> |
| Component: | LDAP | Assignee: | Philipp Hahn <hahn> |
| Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
| Severity: | normal | ||
| Priority: | P5 | CC: | heidelberger, requate |
| Version: | UCS 4.3 | ||
| Target Milestone: | UCS 4.3-2-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | Bug Report | What type of bug is this?: | 7: Crash: Bug causes crash or data loss |
| Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
| User Pain: | 0.200 | Enterprise Customer affected?: | Yes |
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | 38685 | ||
| Bug Blocks: | |||
| Attachments: | Patch for Bug 38685 dropped in UCS 4.1 | ||
> + openssl gendh -out /etc/ldap/dh_2048.pem.842miSJf2Z -2 2048 > Invalid command 'gendh'; type "help" for a list. compare that with > mail/univention-mail-postfix/share/create-dh-parameter-files.sh:openssl dhparam -out /etc/postfix/dh_512.pem.tmp -2 512 Created attachment 9698 [details] Patch for Bug 38685 dropped in UCS 4.1 From "man dhparam" from OpenSSL 1.1.0: > The program dhparam combines the functionality of the programs dh and gendh in previous versions of OpenSSL. The dh and gendh programs are retained for now but may have different purposes in future versions of OpenSSL. [4.3-2] b3bd3b33ee Bug #47974: Fix generating DH parameter file management/univention-ldap/debian/changelog | 6 ++++++ .../debian/univention-ldap-server.postinst | 5 ++++- .../univention-ldap/scripts/create-dh-parameter-files | 16 ++++++++++++---- 3 files changed, 22 insertions(+), 5 deletions(-) [4.3-2] 73b3a36781 Bug #47974: Bump package version management/univention-ldap/debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-ldap Version: 14.0.2-24A~4.3.0.201810151437 Branch: ucs_4.3-0 Scope: errata4.3-2 [4.3-2] fecc61cc59 Bug #47974: Fix generating DH parameter file YAML doc/errata/staging/univention-ldap.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) What I tested: Update -> OK create-dh-parameter-files -> OK YAML: I changed the yaml description to be a little less technical. [4.3-2 b3f074fab3] Bug #47974: Less technical yaml |
> management/univention-ldap/debian/univention-ldap-server.postinst:91:[ -f /etc/ldap/dh_2048.pem ] || cp /usr/share/univention-ldap/dh_2048.pem /etc/ldap/ For some unknown reason the file "/etc/ldap/sh_2048.pem" is empty, which prevents the LDAP server "slapd" from starting. → the test should be changed fom "-f" to "-s". For some other yet unknown reason "/usr/share/univention-ldap/create-dh-parameter-files" creates empty files when called daily from "management/univention-ldap/conffiles/etc/cron.d/univention-ldap". (I have the same on my test-VM) # sh -x /usr/share/univention-ldap/create-dh-parameter-files + set -e + umask 022 + ucr get ldap/tls/dh/paramfile + paramfile=/etc/ldap/dh_2048.pem + [ -n /etc/ldap/dh_2048.pem ] + mktemp + log=/tmp/root/tmp.Z9wyQMq9Xz + exec # tail /var/mail/systemmail Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ........................................+...................++*++*++*++*++*++* unable to write 'random state' Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...........................................+....................................+...+.........................................................+....................................................................................+.............................................................................................................................................+.....+....................................................+.........................................................................+........................................++*++* unable to write 'random state'