Bug 48025

Summary: crl-update fails through cron
Product: UCS Reporter: Christian Völker <voelker>
Component: SSLAssignee: Philipp Hahn <hahn>
Status: CLOSED DUPLICATE QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5 CC: andree.hingst, gohmann, grandjean, hahn, stephan.hendl
Version: UCS 4.3   
Target Milestone: UCS 4.3-2-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=47896
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2018101921000605 Bug group (optional):
Max CVSS v3 score:

Description Christian Völker univentionstaff 2018-10-19 15:12:02 CEST 
Customer sees following in logfiles:

run-parts: /etc/cron.daily/univention-ssl exited with return code 2
/etc/cron.daily/univention-ssl-crl-update:
Using configuration from /etc/univention/ssl/openssl.cnf
ca: Error on line 32 of config file "/etc/univention/ssl/openssl.cnf"
140422915728640:error:0E065068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:519:line 32
/etc/cron.daily/univention-ssl-crl-update: line 25: echo: No such file or directory
run-parts: /etc/cron.daily/univention-ssl-crl-update exited with return code 1

This happened since https://forge.univention.org/bugzilla/show_bug.cgi?id=41013 has been applied on customer'S server.
Comment 1 Christian Völker univentionstaff 2018-10-19 15:13:55 CEST 
Workaround available:

--- /root/univention-ssl-crl-update     2018-10-19 14:41:07.420393123 +0200
+++ ./univention-ssl-crl-update 2018-10-19 14:46:21.217069038 +0200
@@ -1,8 +1,16 @@
#!/bin/bash
+set -x
 
#update crl in case of getting invalid after 30 days
#Univention [Ticket#2014082721000898]
 
+#use UCR values in /etc/univention/ssl/openssl.cnf
+#default_crl_days    = $ENV::DEFAULT_CRL_DAYS
+#default_md          = $ENV::DEFAULT_MD
+
+export DEFAULT_CRL_DAYS=$(ucr shell ssl/crl/validity | awk -F= '{ print $2 }')
+export DEFAULT_MD=$(ucr shell ssl/default/hashfunction | awk -F= '{ print $2 }')
+
nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"
 
today="$(date -u '+%s')"
Comment 2 Philipp Hahn univentionstaff 2018-10-30 15:58:03 CET 
Probably not a product bug, as the script if not part of UCS.
Probably a duplicate of Bug #47896.
Waiting for feedback from customer.
Comment 3 Stephan Hendl 2018-10-30 16:29:34 CET 
Well, the script was originally written by Janis Meybohm from Univention staff some years ago. If "/etc/cron.daily/univention-ssl" does the same - we can ignore the other one.
Comment 4 Philipp Hahn univentionstaff 2018-10-30 16:37:19 CET 
(In reply to Stephan Hendl from comment #3)
> Well, the script was originally written by Janis Meybohm from Univention
> staff some years ago. If "/etc/cron.daily/univention-ssl" does the same - we
> can ignore the other one.

The functionality to update the CRL is now part of "/etc/cron.daily/univention-ssl" and the update interval in days can be configured through the UCRV "ssl/crl/interval".
As the package currently has a bug, I close this bug as a duplicate of Bug #47896

*** This bug has been marked as a duplicate of bug 47896 ***
Comment 5 Stefan Gohmann univentionstaff 2018-11-07 09:26:51 CET 
OK
Comment 6 Stefan Gohmann univentionstaff 2018-11-07 09:27:06 CET 
Nothing to release