Univention Bugzilla – Bug 45472
univention-certificate should also do an '-updatedb'
Last modified: 2018-05-09 14:21:10 CEST
In case the index.txt doesn't reflect the "real world" of your CAs signed certifikates, it should be possible to call univention-certificate updatedb similar to: openssl ca -config /etc/univention/ssl/openssl.cnf -updatedb Using configuration from /etc/univention/ssl/openssl.cnf error on line 31 of config file '/etc/univention/ssl/openssl.cnf' 140317610878608:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 31 As you can see, the straight way throws an error. This is because in the openssl.cnf there are variables called → $ENV::DEFAULT_CRL_DAYS, $ENV::DEFAULT_MD, $ENV::DEFAULT_BITS, $ENV::DEFAULT_MD. They are replaced by UCR-Vs by the script '/usr/share/univention-ssl/make-certificates.sh' when calling univention-certificate
'-updatebd` *must* be called in regular intervals: DEFAULT_CRL_DAYS=$(ucr get ssl/crl/validity) \ DEFAULT_MD=$(ucr get ssl/default/hashfunction) \ DEFAULT_BITS=$(ucr get ssl/default/bits) \ openssl ca -updatedb \ -config /etc/univention/ssl/openssl.cnf \ -passin file:/etc/univention/ssl/password otherwise expired certificates do not get marked as _E_xpired in "/etc/univention/ssl/ucsCA/index.txt" column 1 and prevent the certificate from being renewed. As an alternative change "/etc/univention/ssl/ucsCA/index.txt.attr" to "unique_subject = no" to allow multiple certificates to be valid at the same time (it is AFAIK current best practice to use a 2nd renewed certificates at the end of the validity of the first one, so it's natural for multiple certificates for DN to exist). # faketime 'last week' /usr/sbin/univention-certificate new -name bug45472 -days 1 ... # /usr/sbin/univention-certificate revoke -name bug45472 Revoke certificate: bug45472 no certificate for bug45472 registered # grep bug45472 /etc/univention/ssl/ucsCA/index.txt V 171205122400Z 03 unknown .../CA=bug45472/... ^ ^^^^^^^^^^^^ in the past! # /usr/sbin/univention-certificate renew -name bug45472 -days 1 ... Certificate is to be certified until Dec 12 12:25:08 2017 GMT (1 days) failed to update database TXT_DB error number 2 # /usr/sbin/univention-certificate new -name bug45472 -days 1 ... Certificate is to be certified until Dec 12 12:26:32 2017 GMT (1 days) failed to update database TXT_DB error number 2 # DEFAULT_CRL_DAYS=$(ucr get ssl/crl/validity) DEFAULT_MD=$(ucr get ssl/default/hashfunction) DEFAULT_BITS=$(ucr get ssl/default/bits) openssl ca -updatedb -config /etc/univention/ssl/openssl.cnf -passin file:/etc/univention/ssl/password ... 03=Expired # grep bug45472 /etc/univention/ssl/ucsCA/index.txt E 171205122400Z 03 unknown .../CA=bug45472/... ^ # /usr/sbin/univention-certificate renew -name bug45472 -days 1 ... Write out database with 1 new entries Data Base Updated # grep bug45472 /etc/univention/ssl/ucsCA/index.txt E 171205122400Z 03 unknown .../CA=bug45472/... V 171212122807Z 04 unknown .../CA=bug45472/...
changes * added has_cert() to make-certificates.sh, lists also expired (but not revoked) certificates revoke_cert now uses has_cert() instead of has_valid_cert(), so we can create or renew expired certs now too (this was the problem until now, because has_valid_cert() couldn't find expired certs) * added univention-cert... updatedb (to mark expired certs) * modified debian/univention-ssl.cron.daily to run updatedb * as univention-cert... only lists "V" certs from the index, i added univention-cert... list-all (list_cert_names_all in make-certificates.sh) univention-certificate list-all List all certificates (including revoked and expired certificates) 01 master.four.three (V) 02 ucs-sso.four.three (V) 03 wordp-82863136.four.three (V) 04 felix (E) 05 felix (R) 06 felix (V) this is the major change for the user, expired certs are now mark as expired and no longer listed in univention-cert... list * added test test_host_expired, renew expired cert with/withou prior updatedb univention-ssl db4fa59bc497e9103141641f042ba1a3911e3423 2379ce67de8ef0a570c7f1d37109fb07b3c3e398 8986760511f28777228d2c97fa2ccfec03bfa3f1 yaml ba9c07d98e1aae169d2e2814b7e93ead07a8fdb5
OK: errata-announce -V --only univention-ssl.yaml OK: univention-ssl.yaml OK: tests/ FIXED: 94b8d3849612f4dc0763aed85c0a3c66ca50f500.. [4.3-0] 68492d144d Bug #45472 QA: handle expired certificates [4.3-0] 27d8a38f17 Bug #45472 ssl QA: Fix UCRV descriptions YAML Package: univention-ssl Version: 12.0.0-7A~4.3.0.201805022244 Branch: ucs_4.3-0 gScope: errata4.3-0
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-ssl_12.0.0-1A~4.3.0.201712120222.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/univention-ssl_12.0.0-7A~4.3.0.201805022244.dsc @@ -1,6 +1,30 @@ -12.0.0-1A~4.3.0.201712120222 [Tue, 12 Dec 2017 02:22:07 +0100] Univention builddaemon <buildd@univention.de>: +12.0.0-7A~4.3.0.201805022244 [Wed, 02 May 2018 22:44:47 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.0-7 [Wed, 02 May 2018 16:57:50 +0200] Philipp Hahn <hahn@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-6 [Tue, 17 Apr 2018 16:01:34 +0200] Jürn Brodersen <brodersen@univention.de>: + + * Bug #46203: Fix stderr redirect + +12.0.0-5 [Wed, 11 Apr 2018 17:13:25 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-4 [Wed, 11 Apr 2018 17:07:30 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-3 [Wed, 11 Apr 2018 17:02:58 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-2 [Thu, 22 Mar 2018 12:17:10 +0100] Jürn Brodersen <brodersen@univention.de>: + + * Bug #46203: Fix file permissions after certificate renewal 12.0.0-1 [Mon, 11 Dec 2017 14:40:48 +0100] Jürn Brodersen <brodersen@univention.de>:
<http://errata.software-univention.de/ucs/4.3/33.html>