Univention Bugzilla – Bug 46203
Wrong permissions after renewing the ssl certificates
Last modified: 2018-05-09 14:21:11 CEST
New generated computer certificates as described in https://help.univention.com/t/renewing-the-ssl-certificates/37 _________________________________________________________________________________ eval "$(ucr shell)" cd /etc/univention/ssl for i in *".$domainname"; do univention-certificate renew -name "$i" -days "$(ucr get ssl/default/days)"; done _________________________________________________________________________________ do not have set the right file permissions for the 'DC Backup Hosts' group. Before renewing the certificates the permission was set to -rw-r----- backup$ DC Backup Hosts after renewing the certificates the permission is set to -rw------- backup$ DC Backup Hosts The backup server could not copy the certificate via cronjob. This causes a lot of trouble if a backup2master was done twice.
Basically, renewing certificates breaks the "ssl-sync". This invalidates a main feature of the UCS Backup role (having a copy of the SSL-PKI) that is essential for (but not limited to) the backup2master process.
[4.3-0 94b8d38496] Bug #46203: Fix file permissions after certificate renewal [4.3-0 5985c9de5c] Bug #46203: YAML
[4.3-0 c1d637d321] Bug #46203: Fix stderr redirect [4.3-0 015255317f] Bug #46203: YAML Package: univention-ssl Version: 12.0.0-6A~4.3.0.201804171604 Branch: ucs_4.3-0 Scope: errata4.3-0
Ok.
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-ssl_12.0.0-1A~4.3.0.201712120222.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/univention-ssl_12.0.0-7A~4.3.0.201805022244.dsc @@ -1,6 +1,30 @@ -12.0.0-1A~4.3.0.201712120222 [Tue, 12 Dec 2017 02:22:07 +0100] Univention builddaemon <buildd@univention.de>: +12.0.0-7A~4.3.0.201805022244 [Wed, 02 May 2018 22:44:47 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.0-7 [Wed, 02 May 2018 16:57:50 +0200] Philipp Hahn <hahn@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-6 [Tue, 17 Apr 2018 16:01:34 +0200] Jürn Brodersen <brodersen@univention.de>: + + * Bug #46203: Fix stderr redirect + +12.0.0-5 [Wed, 11 Apr 2018 17:13:25 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-4 [Wed, 11 Apr 2018 17:07:30 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-3 [Wed, 11 Apr 2018 17:02:58 +0200] Felix Botner <botner@univention.de>: + + * Bug #45472: handle expired certificates + +12.0.0-2 [Thu, 22 Mar 2018 12:17:10 +0100] Jürn Brodersen <brodersen@univention.de>: + + * Bug #46203: Fix file permissions after certificate renewal 12.0.0-1 [Mon, 11 Dec 2017 14:40:48 +0100] Jürn Brodersen <brodersen@univention.de>:
<http://errata.software-univention.de/ucs/4.3/33.html>