Bug 43576 – univention-certificate renew fails if hostname is substring of other host

Bug 43576 - univention-certificate renew fails if hostname is substring of other host


Summary:	univention-certificate renew fails if hostname is substring of other host

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 3.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.3-1-errata
Assigned To:	Felix Botner
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:	32763
Blocks:
	Show dependency tree / graph

Reported:	2017-02-17 17:50 CET by Michel Smidt
Modified:	2017-02-22 12:48 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017011121000415
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2017-02-17 17:50:25 CET

+++ This bug was initially created as a clone of Bug #32763 +++

Assuming an environment with the following UCS-hosts:
host.domain.tld
anotherhost.domain.tld

"univention-certificate renew -name host.domain.tld ..." will fail with "Error opening ucsCA/certs ..." because the the routine tries to handle non existing filenames.

This is caused by the usage of grep (line 338) in function renew_cert of /usr/share/univention-ssl/make-certificates.sh as it also matches for "anotherhost.domain.tld". Line  387 in function revoke_cert shows the same problem.

Comment 1 Michel Smidt 2017-02-17 17:52:02 CET

Backport required.

Comment 2 Felix Botner

2017-02-21 10:37:40 CET

added "-w" (select only those lines containing matches that form whole words) to the grep commands in make-certificates.sh.

Branch: ucs_3.3-0
Scope: errata3.3-1
univention-ssl 8.100.0-1.181.201702211021
univention-ssl.yaml

Comment 3 Philipp Hahn

2017-02-21 16:49:34 CET

OK: errata-announce -V --only univention-ssl.yaml
OK: univention-ssl.yaml

OK: r76896 r76898
OK: dpkg-query -W univention-ssl # 8.100.0-1.181.201702211021
OK:
 univention-certificate new -name foo.ucsmaster.ucs.local
 univention-certificate revoke -name foo.ucsmaster.ucs.local
 apt-get install univention-ssl
 univention-certificate renew -name foo.ucsmaster.ucs.local -days 7
 univention-certificate dump -name foo.ucsmaster.ucs.local
 univention-certificate revoke -name foo.ucsmaster.ucs.local
 univention-certificate list

Comment 4 Janek Walkenhorst

2017-02-22 12:48:43 CET

<http://errata.software-univention.de/ucs/3.3/30.html>