Bug 44704 – SAML IdP certificate not accessible on UCS 4.2

Bug 44704 - SAML IdP certificate not accessible on UCS 4.2


Summary:	SAML IdP certificate not accessible on UCS 4.2

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-3-errata
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:
Keywords:

Depends on:
Blocks:	45515 46186 47047
	Show dependency tree / graph

Reported:	2017-05-29 13:52 CEST by Jens Thorp-Hansen
Modified:	2018-05-23 13:22 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017052921000376
Bug group (optional):
Max CVSS v3 score:

Attachments
Saml apache config template adjustments (888 bytes, patch) 2017-07-14 13:01 CEST, Eduard Mai	Details \| Diff
24_download_certificate (1.65 KB, text/plain) 2017-07-14 15:19 CEST, Jürn Brodersen	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jens Thorp-Hansen

2017-05-29 13:52:54 CEST

Testsystem: 10.200.6.100

root@kopano:~# univention-app info
UCS: 4.2-0 errata10
App Center compatibility: 4
Installed: kopano-core=8.2.1.530-2 kopano-webapp=3.2.0.335-19.1-2 samba4=4.6 4.1/openproject=5.0.17
Upgradable: 

----------------------

Openproject is not reachable via "http://10.200.6.100/openproject/" and "https://10.200.6.100/openproject/" with

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /openproject/.

Reason: Error reading from remote server

-----------------------

Seems to happen in all SSO-ready apps (confirmed for owncloud, egroupware and openproject).

-----------------------
Apache.log

[Tue May 16 02:38:20.923822 2017] [authz_core:error] [pid 21498] [client 10.200.6.100:53880] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:45:20.796593 2017] [proxy_http:error] [pid 21501] (104)Connection reset by peer: [client 10.205.1.18:49748] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:20.797330 2017] [proxy:error] [pid 21501] [client 10.205.1.18:49748] AH00898: Error reading from remote server returned by /openproject/, referer: http://10.200.6.100/univention/management/
[Tue May 16 02:45:49.480286 2017] [authz_core:error] [pid 21503] [client 10.200.6.100:54222] AH01630: client denied by server configuration: /etc/simplesamlphp/ucs-sso.hel.kopano-idp-certificate.crt
[Tue May 16 02:46:05.889107 2017] [mpm_prefork:notice] [pid 7635] AH00169: caught SIGTERM, shutting down
[Tue May 16 02:46:06.951126 2017] [suexec:notice] [pid 29057] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue May 16 02:46:08.017837 2017] [mpm_prefork:notice] [pid 29058] AH00163: Apache/2.4.10 (Univention) OpenSSL/1.0.2d configured -- resuming normal operations
[Tue May 16 02:46:08.017912 2017] [core:notice] [pid 29058] AH00094: Command line: '/usr/sbin/apache2'
[Tue May 16 02:47:10.031917 2017] [proxy_http:error] [pid 29063] (104)Connection reset by peer: [client 10.205.1.18:49828] AH01102: error reading status line from remote server 127.0.0.1:40000, referer: http://10.200.6.100/univention/portal/

join.log

RUNNING 50openproject.inst
2017-05-16 02:45:41.260640046+02:00 (in joinscript_init)
Object exists: cn=ldapschema,cn=univention,dc=hel,dc=kopano
INFO: No change of core data of object openproject.
No modification: cn=openproject,cn=ldapschema,cn=univention,dc=hel,dc=kopano

Waiting for activation of the extension object openproject: OK
Object exists: cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Object exists: cn=openproject-isadmin,cn=openproject,cn=custom attributes,cn=univention,dc=hel,dc=kopano
Setting saml/idp/ldap/get_attributes
Multifile: /etc/simplesamlphp/authsources.php
Module: kopano-cfg
Object exists: SAMLServiceProviderIdentifier=openproject,cn=saml-serviceprovider,cn=univention,dc=hel,dc=kopano
Setting ucs/web/overview/entries/service/SP/description
Setting ucs/web/overview/entries/service/SP/label
Setting ucs/web/overview/entries/service/SP/link
Setting ucs/web/overview/entries/service/SP/priority
Module: kopano-cfg
Module: create_portal_entries
--2017-05-16 02:45:49--  https://ucs-sso.hel.kopano/simplesamlphp/saml2/idp/certificate
Auflösen des Hostnamen »ucs-sso.hel.kopano (ucs-sso.hel.kopano)«... 10.200.6.100
Verbindungsaufbau zu ucs-sso.hel.kopano (ucs-sso.hel.kopano)|10.200.6.100|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2017-05-16 02:45:49 FEHLER 403: Forbidden.

unable to load certificate
140528867223184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
EXITCODE=1

Comment 1 Stefan Gohmann

2017-06-28 06:51:16 CEST

Mark all bugs with a user pain > 0.3 as errata bugs.

Comment 2 Eduard Mai

2017-07-14 13:01:03 CEST

Created attachment 9029 [details]
Saml apache config template adjustments

The current apache2 config doesn't allow filesystem access to the idp certificate in its default location. Do we adjust the template or the default location fot the certificate?
I attached a proposal for the configuration template in univention-saml.

Comment 3 Florian Best

2017-07-14 13:14:16 CEST

Why doesn't it allow anymore? I think it was possible in UCS 4.1.

Comment 4 Eduard Mai

2017-07-14 13:59:32 CEST

(In reply to Florian Best from comment #3)
> Why doesn't it allow anymore? I think it was possible in UCS 4.1.

I didn't investigate the specific cause. My best guess is the change in basic directives between apache 2.4 and 2.2. For example Order and Allow vs. Require all granted.

Comment 5 Eduard Mai

2017-07-14 14:53:10 CEST

OK, the attached patch fixes the problem for me. I tried with openproject=5.0.17. Moving this issue to SAML.

Comment 6 Jürn Brodersen

2017-07-14 15:19:50 CEST

Created attachment 9032 [details]
24_download_certificate

Comment 7 Jürn Brodersen

2017-07-14 15:26:18 CEST

Comment on attachment 9032 [details]
24_download_certificate

Test for ucs-test/82_saml

Comment 8 Florian Best

2017-07-17 16:20:58 CEST

@Jürn: Please commit the ucs-test with the SKIP tag.

Comment 9 Jürn Brodersen

2017-07-20 16:41:46 CEST

r81298: test download of saml idp certificate

The test has the skip tag set for now

Comment 10 Florian Best

2017-11-28 18:01:07 CET

A slightly modified patch has been commited.

univention-saml (4.0.14-11)
c895e12c910a | Bug #44704-saml-certificate' into 4.2-3
1591bb4c3c3c | Bug #44704: fix certificate access permissions

ucs-test (7.0.23-3)
r81298 | Bug #44704: test download of saml idp certificate

univention-saml.yaml
c895e12c910a | Bug #44704-saml-certificate' into 4.2-3
b8f07173e39d | YAML Bug #44704

Comment 11 Jürn Brodersen

2017-12-04 15:37:49 CET

Looks good.

What I tested:

"ucs-test -s saml -E dangerous" -> OK
"curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/certificate" -> OK
"curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/" -> Forbidden -> OK

YAML -> OK

-> Verified

Comment 12 Arvid Requate

2017-12-06 15:40:17 CET

<http://errata.software-univention.de/ucs/4.2/236.html>