First Last Prev Next    This bug is not in your last search results.
Bug 39179 - Install UCS Root CA cert as trusted certificate on all hosts in the domain
Install UCS Root CA cert as trusted certificate on all hosts in the domain
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.0
Other Linux
: P5 normal with 1 vote (vote)
: UCS 4.1-4-errata
Assigned To: Philipp Hahn
Felix Botner
:
: 35611 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-14 13:38 CEST by Florian Best
Modified: 2016-12-21 15:32 CET (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2015112421000635
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-08-14 13:38:18 CEST 
Currently the UCS root CA is not installed at least on the DC master automatically.

This causes that "wget https://$(hostname -f)" fails.

Workaround:

ln -s /usr/local/share/ca-certificates/CAcert.pem /etc/univention/ssl/ucsCA/CAcert.pem
update-ca-certificates
Comment 1 Philipp Hahn univentionstaff 2015-08-28 16:17:04 CEST 
(In reply to Florian Best from comment #0)
> ln -s /usr/local/share/ca-certificates/CAcert.pem /etc/univention/ssl/ucsCA/CAcert.pem

Arguments need to be swapped: ln -s <source> <target>
Comment 2 Michael Grandjean univentionstaff 2015-11-22 17:37:37 CET 
update-ca-certificates will only recognize files ending with *.crt as certificates. This one worked for me:

> root@ucs-7927:~# ln -s /etc/univention/ssl/ucsCA/CAcert.pem /usr/local/share/ca-certificates/ucsCA.crt
> root@ucs-7927:~# update-ca-certificates 
> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
> Running hooks in /etc/ca-certificates/update.d....done.

See also 2015093021000271
Comment 3 Florian Best univentionstaff 2015-11-26 12:25:55 CET 
*** Bug 35611 has been marked as a duplicate of this bug. ***
Comment 4 Dirk Wiesenthal univentionstaff 2015-12-01 13:32:00 CET 
This caused some confusion on Ticket#2015112421000635
Comment 5 Dirk Wiesenthal univentionstaff 2016-04-20 10:00:42 CEST 
This is also a problem when you built a local App Center on the DC Master and use it on a Member:
  ucr set repository/app_center/server=master.my.domain
  univention-app update

will not work.

Workaround:
  ucr set repository/app_center/server=http://master.my.domain
Comment 6 Philipp Hahn univentionstaff 2016-12-05 15:46:31 CET 
UCS-4.1-4:
r74972 | Bug #39179 join: Register ucsCA as trusted CA
r74971 | Bug #39179 SSL: Register ucsCA as trusted CA
r74970 | Bug #39179 SSL: Stop extracting request for ucsCSA
UCS-4.2-0:
r74980 | Bug #39179 join: Register ucsCA as trusted CA
r74979 | Bug #39179 SSL: Register ucsCA as trusted CA
r74978 | Bug #39179 SSL: Stop extracting request for ucsCSA
YAML:
r74976 | Bug #39068,Bug #39179,Bug #42837: SSL

Package: univention-ssl
Version: 10.0.0-18.175.201612051532
Branch: ucs_4.1-0
Scope: errata4.1-4

Package: univention-join
Version: 8.0.4-6.520.201612051533
Branch: ucs_4.1-0
Scope: errata4.1-4
Comment 7 Felix Botner univentionstaff 2016-12-20 19:31:15 CET 
OK - update
 ...
 Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
 ...
 -> file /etc/ssl/certs/ucsCA.pem
/etc/ssl/certs/ucsCA.pem: symbolic link to `/usr/local/share/ca-certificates/ucsCA.crt'

OK - join
  -> file /etc/ssl/certs/ucsCA.pem
/etc/ssl/certs/ucsCA.pem: ERROR: cannot open `/etc/ssl/certs/ucsCA.pem' (No such file or directory)
  -> univention-join
  -> file /etc/ssl/certs/ucsCA.pem
/etc/ssl/certs/ucsCA.pem: symbolic link to `/usr/local/share/ca-certificates/ucsCA.crt'
   -> ls -la /usr/local/share/ca-certificates/ucsCA.crt 
lrwxrwxrwx 1 root staff 36 Dez 20 19:27 /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

OK - univention-ssl
OK - univention-join

OK - YAML
OK - merged to 4.2-0
First Last Prev Next    This bug is not in your last search results.