Bug 55030

Summary: /etc/cron.daily/univention-ssl exited with return code 2
Product: UCS Reporter: Philipp Hahn <hahn>
Component: SSLAssignee: Èric Monné Mesalles <monne-mesalles.extern>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P5 CC: ahlers, damrose, duchon, grandjean, hahn, office, radovanovic.extern, riess82, schnick, tpfannholzer, voelker
Version: UCS 5.0   
Target Milestone: UCS 5.0-2-errata   
Hardware: Other   
OS: Linux   
URL: https://help.univention.com/t/openvpn-crl-expired-no-client-access/9983
What kind of report is it?: Bug Report What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?: Yes
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2022070421000275, 2022070521000335 Bug group (optional): bitesize, External feedback
Max CVSS v3 score:
Bug Depends on: 47896, 54932    
Bug Blocks:    

Description Philipp Hahn univentionstaff 2022-07-26 09:33:58 CEST 
+++ This bug was initially created as a clone of Bug #54932 +++

This seems to be a regression.

After Updating  univention-ssl to Version 14.0.2-3A~5.0.0.202206071244, every night-job creates a E-Mail with the following content:

<CONTENT>

"run-parts: /etc/cron.daily/univention-ssl exited with return code 2"

</CONTENT>


Additional Environment Informations:

~# univention-app info
UCS: 5.0-1 errata342

~# apt info univention-ssl
Package: univention-ssl
Version: 14.0.2-3A~5.0.0.202206071244
Priority: optional
Section: univention
Maintainer: Univention GmbH <packages@univention.de>
Installed-Size: 96,3 kB
Depends: openssl, python3-m2crypto, python3-univention-lib, shell-univention-lib (>= 3.0.1-1), univention-directory-listener, univention-ssh, univention-config (>= 7.0.25)
Recommends: rdate
Download-Size: 23,0 kB
APT-Manual-Installed: no
APT-Sources: https://updates.software-univention.de errata501/main amd64 Packages


~# sh /etc/cron.daily/univention-ssl || echo "$?"
2
~# bash /etc/cron.daily/univention-ssl && echo "$?"
0





+++ This bug was initially created as a clone of Bug #47896 +++

Users report about an error level from univention-ssl.

Doing some investigation I got the following debug output:

+ . /usr/share/univention-lib/ucr.sh
+ is_ucr_false ssl/validity/check
+ local value
+ /usr/sbin/univention-config-registry get ssl/validity/check
+ value=yes
+ tr [:upper:] [:lower:]
+ echo -n yes
+ return 1
+ univention-certificate-check-validity
+ check_gen_crl
+ local interval crl=/etc/univention/ssl/ucsCA/crl/crl.pem
+ ucr get server/role
+ [ domaincontroller_master = domaincontroller_master ]
+ ucr get ssl/crl/interval
+ interval=7
+ [ 7 -ge 1 ]
+ [ -f /etc/univention/ssl/ucsCA/crl/crl.pem ]
+ find /etc/univention/ssl/ucsCA/crl/crl.pem -mtime -7
+ [ -n  ]
+ . /usr/share/univention-ssl/make-certificates.sh
+ SSLBASE=/etc/univention/ssl
+ CA=ucsCA
+ /usr/sbin/univention-config-registry get ssl/crl/validity
+ DEFAULT_CRL_DAYS=10
+ : 10
+ /usr/sbin/univention-config-registry get ssl/default/days
+ DEFAULT_DAYS=1825
+ : 1825
+ /usr/sbin/univention-config-registry get ssl/default/hashfunction
+ DEFAULT_MD=sha256
+ : sha256
+ /usr/sbin/univention-config-registry get ssl/default/bits
+ DEFAULT_BITS=2048
+ : 2048
+ export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS
+ test -e /etc/univention/ssl/password
+ cat /etc/univention/ssl/password
+ PASSWD=M7NBxxxxx2tZ0aprRdJ3
/etc/cron.daily/univention-ssl: 438: /usr/share/univention-ssl/make-certificates.sh: Syntax error: redirection unexpected
Comment 1 Philipp Hahn univentionstaff 2022-07-26 09:36:28 CEST 
[5.0-2] c26ecdc2ba Bug #54932: Fix cron task, create errata and changelog
 base/univention-ssl/debian/changelog                 |  6 ++++++
 base/univention-ssl/debian/univention-ssl.cron.daily |  9 +++++++--
 base/univention-ssl/debian/univention-ssl.postinst   |  9 ++++++---
 base/univention-ssl/extensions-example.sh            |  4 +++-
 base/univention-ssl/ssl-sync                         |  5 ++---
 base/univention-ssl/tests/common.sh                  | 26 ++++++++++++++++++++++----
 base/univention-ssl/tests/test_defaults              |  3 ++-
 base/univention-ssl/tests/test_host_expired          |  7 ++++---
 base/univention-ssl/tests/test_host_fqdn             |  7 ++++---
 base/univention-ssl/tests/test_host_hook             |  3 ++-

[5.0-2] 42d82c1a6c Bug #54697: univention-ssl 14.0.2-5A~5.0.0.202207251753
 doc/errata/staging/univention-ssl.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

OK: apt-get install -t apt univention-ssl
OK: head -n 1 /etc/cron.daily/univention-ssl
OK: touch -d @0 /etc/univention/ssl/ucsCA/crl/crl.pem && /etc/cron.daily/univention-ssl && ls -l /etc/univention/ssl/ucsCA/crl/crl.pem