Bug 41230 – Servercertificate is revoked and new generated if a Memberserver is moved in the ldap directory

Bug 41230 - Servercertificate is revoked and new generated if a Memberserver is moved in the ldap directory


Summary:	Servercertificate is revoked and new generated if a Memberserver is moved in ...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-2-errata
Assigned To:	Philipp Hahn
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-05-10 08:52 CEST by Christina Scheinig
Modified:	2016-09-29 21:43 CEST (History)
CC List:	5 users (show)

See Also:	34285
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016050921000325
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2016-05-10 08:52:21 CEST

A customer reported that moving a memberserver in the ldap directory revokes the existing servercertificate and generates a new one.
The old now invalid certificate is still located on the memberserver and used by the web server.

Ticket#2016050921000325

I could reproduce it in my testenvironment with a slave as well.


Extract from listener.log:

Revoke certificate: ucs-411-slave.sunshine.local
Using configuration from openssl.cnf
Revoking Certificate 07.
Data Base Updated
unable to write 'random state'
Using configuration from openssl.cnf
unable to write 'random state'
Creating certificate: ucs-411-slave.sunshine.local
no certificate for ucs-411-slave.sunshine.local registered
Generating RSA private key, 2048 bit long modulus
........................+++
........................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'DE'
localityName          :PRINTABLE:'DE'
organizationName      :PRINTABLE:'sunshine'
organizationalUnitName:PRINTABLE:'Univention Corporate Server'
commonName            :PRINTABLE:'ucs-411-slave.sunshine.local'
emailAddress          :IA5STRING:'ssl@sunshine.local'
Certificate is to be certified until Apr 21 20:36:24 2021 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated

Comment 1 Michael Grandjean

2016-05-10 08:59:17 CEST

In addition:
The revoking also updates the CRL. Any service checking the CRL will now refuse to connect to the memberserver who still uses the old (now revoked) certificate.

I guess this applies to all computer objects matching the filter in gencertificate.py:

> filter = '(|' + \
>                 '(objectClass=univentionDomainController)' + \
>                 '(objectClass=univentionClient)' + \
>                 '(objectClass=univentionMobileClient)' + \
>                 '(objectClass=univentionCorporateClient)' + \
>                 '(objectClass=univentionMemberServer))'

Comment 2 Stephan Hendl 2016-05-10 10:41:24 CEST

(In reply to Michael Grandjean from comment #1)

> The revoking also updates the CRL. Any service checking the CRL will now
> refuse to connect to the memberserver who still uses the old (now revoked)
> certificate.

Yes, e. g. IE 11 checks the CRL by default if there is a CRL distribution point  configured in the certificate. And we felt in that trap...

Comment 3 Philipp Hahn

2016-06-22 13:49:22 CEST

Currently no CRL-Distribution-Point is configured by default. Bug #34285

The bug is in univention-ssl/gencertificate.py which does not handle moves.

Comment 4 Philipp Hahn

2016-06-27 17:59:44 CEST

r70649 | Bug #41230 ssl: Handle moved computer LDAP entries
r70648 | Bug #41230 ssl: Move UID/GID loading code
r70647 | Bug #41230 ssl: Refactor common domain code
r70646 | Bug #41230 ssl: Check server role earliest
r70645 | Bug #41230 ssl: Fix switched debug output
r70644 | Bug #41230 SSL: autopep8

Package: univention-ssl
Version: 10.0.0-15.172.201606271746
Branch: ucs_4.1-0
Scope: errata4.1-2

 univention-ssl.yaml

Comment 5 Philipp Hahn

2016-06-27 18:48:14 CEST

r70657 | Bug #41230 test: Check moved host keeps SSL certificate
 ucs-test/tests/66_udm-computers/53_move_computer_ssl

Package: ucs-test
Version: 6.0.33-78.1492.201606271846
Branch: ucs_4.1-0
Scope: errata4.1-2

Comment 6 Janek Walkenhorst

2016-07-19 18:18:28 CEST

Tests: OK
Code review: OK
Advisory: OK, added missing bug number. r71101

Comment 7 Janek Walkenhorst

2016-07-21 15:16:15 CEST

<http://errata.software-univention.de/ucs/4.1/213.html>