Bug 47896 - /etc/cron.daily/univention-ssl exited with return code 2
/etc/cron.daily/univention-ssl exited with return code 2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Jannik Ahlers
Philipp Hahn
https://help.univention.com/t/openvpn...
:
: 48025 (view as bug list)
Depends on:
Blocks: 54932 55030
  Show dependency treegraph
 
Reported: 2018-10-02 09:40 CEST by Christian Völker
Modified: 2022-07-26 09:33 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: Ticket#2018100221000851
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-10-02 09:40:30 CEST
Users report about an error level from univention-ssl.

Doing some investigation I got the following debug output:

+ . /usr/share/univention-lib/ucr.sh
+ is_ucr_false ssl/validity/check
+ local value
+ /usr/sbin/univention-config-registry get ssl/validity/check
+ value=yes
+ tr [:upper:] [:lower:]
+ echo -n yes
+ return 1
+ univention-certificate-check-validity
+ check_gen_crl
+ local interval crl=/etc/univention/ssl/ucsCA/crl/crl.pem
+ ucr get server/role
+ [ domaincontroller_master = domaincontroller_master ]
+ ucr get ssl/crl/interval
+ interval=7
+ [ 7 -ge 1 ]
+ [ -f /etc/univention/ssl/ucsCA/crl/crl.pem ]
+ find /etc/univention/ssl/ucsCA/crl/crl.pem -mtime -7
+ [ -n  ]
+ . /usr/share/univention-ssl/make-certificates.sh
+ SSLBASE=/etc/univention/ssl
+ CA=ucsCA
+ /usr/sbin/univention-config-registry get ssl/crl/validity
+ DEFAULT_CRL_DAYS=10
+ : 10
+ /usr/sbin/univention-config-registry get ssl/default/days
+ DEFAULT_DAYS=1825
+ : 1825
+ /usr/sbin/univention-config-registry get ssl/default/hashfunction
+ DEFAULT_MD=sha256
+ : sha256
+ /usr/sbin/univention-config-registry get ssl/default/bits
+ DEFAULT_BITS=2048
+ : 2048
+ export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS
+ test -e /etc/univention/ssl/password
+ cat /etc/univention/ssl/password
+ PASSWD=M7NBxxxxx2tZ0aprRdJ3
/etc/cron.daily/univention-ssl: 438: /usr/share/univention-ssl/make-certificates.sh: Syntax error: redirection unexpected
Comment 1 Erik Damrose univentionstaff 2018-10-02 10:11:34 CEST
make-certificates.sh uses a bash only feature in line 438:
 done <<< "$NUM"

The cronjob runs with /bin/sh and sources the file, which causes the error.
Comment 2 Jannik Ahlers univentionstaff 2018-10-02 10:13:41 CEST
The problem is that the <<< redirection is supported only in bash, not in sh.
The cronjob /etc/cron.daily/univention-ssl sources make-certificates.sh, which is written in bash (/bin/bash in hashbang), but the cronjob itself gets executed by sh.

to solve this, we probably have to:
* set '#! /bin/bash' in univention-ssl.cron.daily
* set 'SHELL=/bin/bash' in /etc/crontab
Comment 3 Philipp Hahn univentionstaff 2018-10-02 18:43:36 CEST
Please remove the BASHism and convert it back to a POSIX script:

index 5f0f97e8ca..97a51f212c 100755
--- a/base/univention-ssl/make-certificates.sh
+++ b/base/univention-ssl/make-certificates.sh
@@ -422,7 +422,7 @@ renew_cert () {
 revoke_cert () {
        local fqdn="${1:?Missing argument: common name}"
 
-       local cn NUM
+       local cn NUM line
        [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn"
 
        if ! NUM="$(has_cert "$cn")"
@@ -431,11 +431,12 @@ revoke_cert () {
                return 2
        fi
 
-       while read line; do
+       for line in $NUM  # IFS
+       do
                if is_valid "$line"; then
                        openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${line}.pem" -passin pass:"$PASSWD"
                fi
-       done <<< "$NUM"
+       done
        gencrl
 }
Comment 4 Erik Damrose univentionstaff 2018-10-09 13:21:29 CEST
https://help.univention.com/t/openvpn-crl-expired-no-client-access/9983

It seems to cause issues for the OpenVPN4ucs app as well
Comment 5 Jannik Ahlers univentionstaff 2018-10-18 13:49:11 CEST
I applied the patch from philipp. Also, some code cleanup has been done.

univention-ssl (12.0.0-13)
b1b87964227d | Bug #47896 SSL: Silence shellcheck
ea281d12c3ea | Bug #47896 SSL: Remove useless `cat`
a83fb1cca468 | Bug #47896 SSL: Check `cd` for success
9f4581956a93 | Bug #47896 SSL: Fix local assignments
5a78849be02e | Bug #47896 SSL: Remove unused variable
4dd78d8516c1 | Bug #47896 SSL: Add missing quoting
8effe22da1a0 | Bug #47896 SSL: Replace `` by "$()"
56919503a1e3 | Bug #47896 SSL: Remove BASHism <<<

univention-ssl (12.0.0-14)
d8969c4468f8 | Bug #47896: changelog

univention-ssl.yaml
898ec142f845 | Bug #47896: YAML

Successful build
Package: univention-ssl
Version: 12.0.0-14A~4.3.0.201810181319
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 6 Philipp Hahn univentionstaff 2018-10-30 12:08:50 CET
OK: apt-get install univention-ssl=12.0.0-16A~4.3.0.201810301145
FIXED: errata-announce univention-ssl.yaml
OK: univention-ssl.yaml
OK: ./debian/rules override_dh_auto_test
FIXED: sh /etc/cron.daily/univention-ssl

[4.3-2] d834519495 Bug #47896 ssl: Show error output again
 base/univention-ssl/debian/changelog                 | 6 ++++++
 base/univention-ssl/debian/univention-ssl.cron.daily | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

Package: univention-ssl
Version: 12.0.0-16A~4.3.0.201810301145
Branch: ucs_4.3-0
Scope: errata4.3-2

[4.3-2] 694e243957 Bug #44469: univention-ssl 12.0.0-16A~4.3.0.201810301145
 doc/errata/staging/univention-ssl.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

OK: /var/log/syslog
OK: chmod -x /usr/sbin/univention-certificate-check-validity ; sh /etc/cron.daily/univention-ssl
Comment 7 Philipp Hahn univentionstaff 2018-10-30 16:37:19 CET
*** Bug 48025 has been marked as a duplicate of this bug. ***
Comment 8 Arvid Requate univentionstaff 2018-11-01 13:44:09 CET
<http://errata.software-univention.de/ucs/4.3/297.html>