Univention Bugzilla – Bug 43576
univention-certificate renew fails if hostname is substring of other host
Last modified: 2017-02-22 12:48:43 CET
+++ This bug was initially created as a clone of Bug #32763 +++ Assuming an environment with the following UCS-hosts: host.domain.tld anotherhost.domain.tld "univention-certificate renew -name host.domain.tld ..." will fail with "Error opening ucsCA/certs ..." because the the routine tries to handle non existing filenames. This is caused by the usage of grep (line 338) in function renew_cert of /usr/share/univention-ssl/make-certificates.sh as it also matches for "anotherhost.domain.tld". Line 387 in function revoke_cert shows the same problem.
Backport required.
added "-w" (select only those lines containing matches that form whole words) to the grep commands in make-certificates.sh. Branch: ucs_3.3-0 Scope: errata3.3-1 univention-ssl 8.100.0-1.181.201702211021 univention-ssl.yaml
OK: errata-announce -V --only univention-ssl.yaml OK: univention-ssl.yaml OK: r76896 r76898 OK: dpkg-query -W univention-ssl # 8.100.0-1.181.201702211021 OK: univention-certificate new -name foo.ucsmaster.ucs.local univention-certificate revoke -name foo.ucsmaster.ucs.local apt-get install univention-ssl univention-certificate renew -name foo.ucsmaster.ucs.local -days 7 univention-certificate dump -name foo.ucsmaster.ucs.local univention-certificate revoke -name foo.ucsmaster.ucs.local univention-certificate list
<http://errata.software-univention.de/ucs/3.3/30.html>