Bug 45472 - univention-certificate should also do an '-updatedb'
univention-certificate should also do an '-updatedb'
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Felix Botner
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-29 11:18 CEST by Nico Stöckigt
Modified: 2018-05-09 14:21 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017082421000674,2017121121000163
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2017-09-29 11:18:09 CEST
In case the index.txt doesn't reflect the "real world" of your CAs signed certifikates, it should be possible to call

univention-certificate updatedb


similar to:

openssl ca -config /etc/univention/ssl/openssl.cnf -updatedb 
Using configuration from /etc/univention/ssl/openssl.cnf
error on line 31 of config file '/etc/univention/ssl/openssl.cnf'
140317610878608:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 31

As you can see, the straight way throws an error. This is because in the openssl.cnf there are variables called → $ENV::DEFAULT_CRL_DAYS, $ENV::DEFAULT_MD, $ENV::DEFAULT_BITS, $ENV::DEFAULT_MD. They are replaced by UCR-Vs by the script '/usr/share/univention-ssl/make-certificates.sh' when calling univention-certificate
Comment 1 Philipp Hahn univentionstaff 2017-12-11 13:29:50 CET
'-updatebd` *must* be called in regular intervals:

DEFAULT_CRL_DAYS=$(ucr get ssl/crl/validity) \
DEFAULT_MD=$(ucr get ssl/default/hashfunction) \
DEFAULT_BITS=$(ucr get ssl/default/bits) \
openssl ca -updatedb \
 -config /etc/univention/ssl/openssl.cnf \
 -passin file:/etc/univention/ssl/password

otherwise expired certificates do not get marked as _E_xpired in "/etc/univention/ssl/ucsCA/index.txt" column 1 and prevent the certificate from being renewed.
As an alternative change "/etc/univention/ssl/ucsCA/index.txt.attr" to "unique_subject = no" to allow multiple certificates to be valid at the same time (it is AFAIK current best practice to use a 2nd renewed certificates at the end of the validity of the first one, so it's natural for multiple certificates for DN to exist).

# faketime 'last week' /usr/sbin/univention-certificate new -name bug45472 -days 1
...

# /usr/sbin/univention-certificate revoke -name bug45472
Revoke certificate: bug45472
no certificate for bug45472 registered

# grep bug45472 /etc/univention/ssl/ucsCA/index.txt
V       171205122400Z           03      unknown .../CA=bug45472/...
^       ^^^^^^^^^^^^ in the past!

# /usr/sbin/univention-certificate renew -name bug45472 -days 1
...
Certificate is to be certified until Dec 12 12:25:08 2017 GMT (1 days)
failed to update database
TXT_DB error number 2

# /usr/sbin/univention-certificate new -name bug45472 -days 1
...
Certificate is to be certified until Dec 12 12:26:32 2017 GMT (1 days)
failed to update database
TXT_DB error number 2

# DEFAULT_CRL_DAYS=$(ucr get ssl/crl/validity) DEFAULT_MD=$(ucr get ssl/default/hashfunction) DEFAULT_BITS=$(ucr get ssl/default/bits) openssl ca -updatedb  -config /etc/univention/ssl/openssl.cnf  -passin file:/etc/univention/ssl/password
...
03=Expired

# grep bug45472 /etc/univention/ssl/ucsCA/index.txt
E       171205122400Z           03      unknown .../CA=bug45472/...
^

# /usr/sbin/univention-certificate renew -name bug45472 -days 1
...
Write out database with 1 new entries
Data Base Updated

# grep bug45472 /etc/univention/ssl/ucsCA/index.txt
E       171205122400Z           03      unknown .../CA=bug45472/...
V       171212122807Z           04      unknown .../CA=bug45472/...
Comment 2 Felix Botner univentionstaff 2018-04-11 18:23:47 CEST
changes

* added has_cert() to make-certificates.sh, lists also expired (but not revoked)
  certificates
  revoke_cert now uses has_cert() instead of has_valid_cert(), so we can
  create or renew expired certs now too (this was the problem until now, because
  has_valid_cert() couldn't find expired certs)

* added univention-cert... updatedb (to mark expired certs)

* modified debian/univention-ssl.cron.daily to run updatedb

* as univention-cert... only lists "V" certs from the index, i added
  univention-cert... list-all (list_cert_names_all in make-certificates.sh)

 univention-certificate list-all
List all certificates (including revoked and expired certificates)
01	master.four.three (V)
02	ucs-sso.four.three (V)
03	wordp-82863136.four.three (V)
04	felix (E)
05	felix (R)
06	felix (V)

  this is the major change for the user, expired certs are now mark as
  expired and no longer listed in univention-cert... list

* added test test_host_expired, renew expired cert with/withou prior updatedb

univention-ssl
db4fa59bc497e9103141641f042ba1a3911e3423
2379ce67de8ef0a570c7f1d37109fb07b3c3e398
8986760511f28777228d2c97fa2ccfec03bfa3f1

yaml
ba9c07d98e1aae169d2e2814b7e93ead07a8fdb5
Comment 3 Philipp Hahn univentionstaff 2018-05-03 05:45:06 CEST
OK: errata-announce -V --only univention-ssl.yaml
OK: univention-ssl.yaml

OK: tests/
FIXED: 94b8d3849612f4dc0763aed85c0a3c66ca50f500..
[4.3-0] 68492d144d Bug #45472 QA: handle expired certificates
[4.3-0] 27d8a38f17 Bug #45472 ssl QA: Fix UCRV descriptions YAML

Package: univention-ssl
Version: 12.0.0-7A~4.3.0.201805022244
Branch: ucs_4.3-0
gScope: errata4.3-0
Comment 4 Quality Assurance univentionstaff 2018-05-04 16:42:59 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-ssl_12.0.0-1A~4.3.0.201712120222.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/univention-ssl_12.0.0-7A~4.3.0.201805022244.dsc
@@ -1,6 +1,30 @@
-12.0.0-1A~4.3.0.201712120222 [Tue, 12 Dec 2017 02:22:07 +0100] Univention builddaemon <buildd@univention.de>:
+12.0.0-7A~4.3.0.201805022244 [Wed, 02 May 2018 22:44:47 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+12.0.0-7 [Wed, 02 May 2018 16:57:50 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-6 [Tue, 17 Apr 2018 16:01:34 +0200] Jürn Brodersen <brodersen@univention.de>:
+
+  * Bug #46203: Fix stderr redirect
+
+12.0.0-5 [Wed, 11 Apr 2018 17:13:25 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-4 [Wed, 11 Apr 2018 17:07:30 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-3 [Wed, 11 Apr 2018 17:02:58 +0200] Felix Botner <botner@univention.de>:
+
+  * Bug #45472: handle expired certificates
+
+12.0.0-2 [Thu, 22 Mar 2018 12:17:10 +0100] Jürn Brodersen <brodersen@univention.de>:
+
+  * Bug #46203: Fix file permissions after certificate renewal
 
 12.0.0-1 [Mon, 11 Dec 2017 14:40:48 +0100] Jürn Brodersen <brodersen@univention.de>:
Comment 5 Arvid Requate univentionstaff 2018-05-09 14:21:10 CEST
<http://errata.software-univention.de/ucs/4.3/33.html>