Univention Bugzilla – Bug 40927
Make SSL certificate for SAML server configurable
Last modified: 2017-09-20 15:03:52 CEST
It should be posible to change the the Apache config of: /etc/univention/templates/files/etc/apache2/sites-available/univention-saml and make it posible to change the directives: * SSLCertificateFile * SSLCertificateKeyFile * SSLCACertificateFile and (not present by default): * SSLCertificateChainFile by an UCR-Variable. See also: http://forum.univention.de/viewtopic.php?f=48&t=4897
requested again by @school customer
@Jürn: could create a patch for this, when you've got some time.
Requested again.
For the affected customers it is really difficult so I raised "feel" flag.
Please also check the 92univention-management-console-web-server.inst join script and the script /etc/univention/templates/modules/setup_saml_sp.py. One of the customers reported the curl command uses the ucsCA.
(In reply to Stefan Gohmann from comment #5) > Please also check the 92univention-management-console-web-server.inst join > script and the script /etc/univention/templates/modules/setup_saml_sp.py. > One of the customers reported the curl command uses the ucsCA. yes, this is because Bug #39179 was unfixed at that time.
I don't see any options for our customers to solve it. Thus, I increased the "feel" flag once again because they are blocked.
https://git.knut.univention.de/univention/ucs/tree/fbest/40927-saml-certificate
The certificates are now configurable via UCR-Variables similar to the one for the regular apache configuration: +[saml/apache2/ssl/certificate] +Description[de]=Der absolute Pfad zur SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$domainname/cert.pem). +Description[en]=The absolute path to the SSL certificate file for mod_ssl of the SAML virtualhost. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/cert.pem). +Type=str +Categories=saml + +[saml/apache2/ssl/key] +Description[de]=Der absolute Pfad zum privaten RSA/DSA-Schlüssel der SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Der Schlüssel muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$doma +Description[en]=The absolute path to the private RSA/DSA key of the SSL certificate file for mod_ssl of the SAML virtualhost. The key needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/privat +Type=str +Categories=saml + +[saml/apache2/ssl/ca] +Description[de]=Der absolute Pfad zum Zertifikat der Zertifizierungsstelle (CA) für mod_ssl. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucsCA/CAcert.pem). +Description[en]=The absolute path to the certificate of the certificate authority (CA) for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucsCA/CAcert.pem). +Type=str +Categories=saml + +[saml/apache2/ssl/certificatechain] +Description[de]=Der Pfad zu einer Datei mit den CA-Zerifikaten. Diese werden dem Clientbrowser eines Benutzers übermittelt, damit ein Zertifikat für die Authentifizierung des Benutzers ausgewählt werden kann, das von einer dieser CAs ausgestellt wurde. +Description[en]=The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs. +Type=str +Categories=saml What I tested: 1. Configured a domain with DC MAster, DC Slave, DC Backup. Install new packages everywhere. 2. created some new certificates from another CA, copied them to the system 3. ucr set saml/apache2/ssl/key=/etc/univention/ssl/saml/private.key saml/apache2/ssl/certificate=/etc/univention/ssl/saml/cert.pem saml/apache2/ssl/ca=/etc/univention/ssl/saml/ca/CAcert.pem 4. service apache2 reload 5. Opened a browser to the https://slave32.saml.dev/univention/management/ and single sign on'ed to every system. univention-saml (4.0.14-10): ccef254f42c6f15f966cd3951efebe3f2ce49845 | Merge branch 'fbest/40927-saml-certificate' into 4.2-2 8a5e4f4ddcdef843fb388cf8f6e480e4b084db13 | Bug #40927: make SAML apache certificate configurable univention-saml.yaml: 87f5615c4bb3e0b6db05a3e88b8a3bb0a9612e7a | YAML Bug #40927
Looks good What I tested: On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK On master, backup Moved the certificates under /etc/univention/ssl/ucs-sso.univention.intranet to /tmp ucr set saml/apache2/ssl/... restart apache -> OK On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK On master, backup Moved certs back unset saml/apache2/ssl/... restart apache -> OK On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK YAML -> OK
<http://errata.software-univention.de/ucs/4.2/170.html>