Univention Bugzilla – Bug 36557
Wrong read permissions under /etc/univention/ssl/
Last modified: 2017-08-08 07:10:54 CEST
In a review to the permissions under /etc/univention/ssl/ucsmaster.ucs.local directory, DC Backup Hosts should but do not have read access to these files: -rw------- 1 root DC Backup Hosts 4479 6. Okt 10:16 cert.pem -rw------- 1 root DC Backup Hosts 3275 6. Okt 10:16 openssl.cnf -rw------- 1 root DC Backup Hosts 887 6. Okt 10:16 private.key -rw------- 1 root DC Backup Hosts 838 6. Okt 10:16 req.pem
In UCS 4.0 files under the current running certificate have correct permissions: /etc/univention/ssl/ucsmaster.ucs.local: -rw-r----- 1 master$ DC Backup Hosts 4479 Sep 30 12:16 cert.pem -rw-r----- 1 master$ DC Backup Hosts 3275 Sep 30 12:16 openssl.cnf -rw-r----- 1 master$ DC Backup Hosts 887 Sep 30 12:16 private.key -rw-r----- 1 master$ DC Backup Hosts 838 Sep 30 12:16 req.pem But the old temporary ssl certificate remains in the folder: /etc/univention/ssl/unassigned-hostname.unassigned-domain: -rw------- 1 root DC Backup Hosts 4521 Sep 30 12:16 cert.pem -rw------- 1 root DC Backup Hosts 3293 Sep 30 12:16 openssl.cnf -rw------- 1 root DC Backup Hosts 887 Sep 30 12:16 private.key -rw------- 1 root DC Backup Hosts 863 Sep 30 12:16 req.pem They are not removed after renaming the host-domain names, and have wrong permissions. Script "101_permissions_after_renew_ssl_certificate" written for Bug #34081 can trigger this bug. Please give a comment to remove skipping this specific folder in that script after fixing this bug.
So the actual master SSL certificate is not affected → lowering target milestone. New target of this bug: the temporary SSL certificate (and related files) should be removed during/after installation (→ /etc/univention/ssl/unassigned-hostname.unassigned-domain)
This also spams /var/log/univention/ssl-sync.log on DC Backups. For every sync attempt (default is every 20 minutes), the following is logged: > rsync: opendir "/etc/univention/ssl/unassigned-hostname.unassigned-domain" failed: Permission denied (13) > IO error encountered -- skipping file deletion > rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1536) [generator=3.0.9]
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
There is a Customer ID set so I set the flag "Enterprise Customer affected".
This issue has been filed against UCS 3.2. UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.