Univention Bugzilla – Bug 44704
SAML IdP certificate not accessible on UCS 4.2
Last modified: 2018-05-23 13:22:16 CEST
Testsystem: 10.200.6.100 root@kopano:~# univention-app info UCS: 4.2-0 errata10 App Center compatibility: 4 Installed: kopano-core=8.2.1.530-2 kopano-webapp=3.2.0.335-19.1-2 samba4=4.6 4.1/openproject=5.0.17 Upgradable: ---------------------- Openproject is not reachable via "http://10.200.6.100/openproject/" and "https://10.200.6.100/openproject/" with Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /openproject/. Reason: Error reading from remote server ----------------------- Seems to happen in all SSO-ready apps (confirmed for owncloud, egroupware and openproject). ----------------------- Apache.log [Tue May 16 02:38:20.923822 2017] [authz_core:error] [pid 21498] [client 10.200.6.100:53880] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt [Tue May 16 02:45:20.796593 2017] [proxy_http:error] [pid 21501] (104)Connection reset by peer: [client 10.205.1.18:49748] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/management/ [Tue May 16 02:45:20.797330 2017] [proxy:error] [pid 21501] [client 10.205.1.18:49748] AH00898: Error reading from remote server returned by /openproject/, referer: http://10.200.6.100/univention/management/ [Tue May 16 02:45:49.480286 2017] [authz_core:error] [pid 21503] [client 10.200.6.100:54222] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt [Tue May 16 02:46:05.889107 2017] [mpm_prefork:notice] [pid 7635] AH00169: caught SIGTERM, shutting down [Tue May 16 02:46:06.951126 2017] [suexec:notice] [pid 29057] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) [Tue May 16 02:46:08.017837 2017] [mpm_prefork:notice] [pid 29058] AH00163: Apache/2.4.10 (Univention) OpenSSL/1.0.2d configured -- resuming normal operations [Tue May 16 02:46:08.017912 2017] [core:notice] [pid 29058] AH00094: Command line: '/usr/sbin/apache2' [Tue May 16 02:47:10.031917 2017] [proxy_http:error] [pid 29063] (104)Connection reset by peer: [client 10.205.1.18:49828] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/portal/ join.log RUNNING 50openproject.inst 2017-05-16 02:45:41.260640046+02:00 (in joinscript_init) Object exists: cn=ldapschema,cn=univention,dc=hel,dc=kopano INFO: No change of core data of object openproject. No modification: cn=openproject,cn=ldapschema,cn=univention,dc=hel,dc=kopano Waiting for activation of the extension object openproject: OK Object exists: cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano Object exists: cn=openproject-isadmin,cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano Setting saml/idp/ldap/get_attributes Multifile: /etc/simplesamlphp/authsources.php Module: kopano-cfg Object exists: SAMLServiceProviderIdentifier=openproject,cn=saml-serviceprovider,cn=univention,dc=hel,dc=kopano Setting ucs/web/overview/entries/service/SP/description Setting ucs/web/overview/entries/service/SP/label Setting ucs/web/overview/entries/service/SP/link Setting ucs/web/overview/entries/service/SP/priority Module: kopano-cfg Module: create_portal_entries --2017-05-16 02:45:49-- https://ucs-sso.hel.kopano/simplesamlphp/saml2/idp/certificate Auflösen des Hostnamen »ucs-sso.hel.kopano (ucs-sso.hel.kopano)«... 10.200.6.100 Verbindungsaufbau zu ucs-sso.hel.kopano (ucs-sso.hel.kopano)|10.200.6.100|:443... verbunden. HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden 2017-05-16 02:45:49 FEHLER 403: Forbidden. unable to load certificate 140528867223184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE EXITCODE=1
Mark all bugs with a user pain > 0.3 as errata bugs.
Created attachment 9029 [details] Saml apache config template adjustments The current apache2 config doesn't allow filesystem access to the idp certificate in its default location. Do we adjust the template or the default location fot the certificate? I attached a proposal for the configuration template in univention-saml.
Why doesn't it allow anymore? I think it was possible in UCS 4.1.
(In reply to Florian Best from comment #3) > Why doesn't it allow anymore? I think it was possible in UCS 4.1. I didn't investigate the specific cause. My best guess is the change in basic directives between apache 2.4 and 2.2. For example Order and Allow vs. Require all granted.
OK, the attached patch fixes the problem for me. I tried with openproject=5.0.17. Moving this issue to SAML.
Created attachment 9032 [details] 24_download_certificate
Comment on attachment 9032 [details] 24_download_certificate Test for ucs-test/82_saml
@Jürn: Please commit the ucs-test with the SKIP tag.
r81298: test download of saml idp certificate The test has the skip tag set for now
A slightly modified patch has been commited. univention-saml (4.0.14-11) c895e12c910a | Bug #44704-saml-certificate' into 4.2-3 1591bb4c3c3c | Bug #44704: fix certificate access permissions ucs-test (7.0.23-3) r81298 | Bug #44704: test download of saml idp certificate univention-saml.yaml c895e12c910a | Bug #44704-saml-certificate' into 4.2-3 b8f07173e39d | YAML Bug #44704
Looks good. What I tested: "ucs-test -s saml -E dangerous" -> OK "curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/certificate" -> OK "curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/" -> Forbidden -> OK YAML -> OK -> Verified
<http://errata.software-univention.de/ucs/4.2/236.html>