Univention Bugzilla – Bug 47896
/etc/cron.daily/univention-ssl exited with return code 2
Last modified: 2022-07-26 09:33:58 CEST
Users report about an error level from univention-ssl. Doing some investigation I got the following debug output: + . /usr/share/univention-lib/ucr.sh + is_ucr_false ssl/validity/check + local value + /usr/sbin/univention-config-registry get ssl/validity/check + value=yes + tr [:upper:] [:lower:] + echo -n yes + return 1 + univention-certificate-check-validity + check_gen_crl + local interval crl=/etc/univention/ssl/ucsCA/crl/crl.pem + ucr get server/role + [ domaincontroller_master = domaincontroller_master ] + ucr get ssl/crl/interval + interval=7 + [ 7 -ge 1 ] + [ -f /etc/univention/ssl/ucsCA/crl/crl.pem ] + find /etc/univention/ssl/ucsCA/crl/crl.pem -mtime -7 + [ -n ] + . /usr/share/univention-ssl/make-certificates.sh + SSLBASE=/etc/univention/ssl + CA=ucsCA + /usr/sbin/univention-config-registry get ssl/crl/validity + DEFAULT_CRL_DAYS=10 + : 10 + /usr/sbin/univention-config-registry get ssl/default/days + DEFAULT_DAYS=1825 + : 1825 + /usr/sbin/univention-config-registry get ssl/default/hashfunction + DEFAULT_MD=sha256 + : sha256 + /usr/sbin/univention-config-registry get ssl/default/bits + DEFAULT_BITS=2048 + : 2048 + export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS + test -e /etc/univention/ssl/password + cat /etc/univention/ssl/password + PASSWD=M7NBxxxxx2tZ0aprRdJ3 /etc/cron.daily/univention-ssl: 438: /usr/share/univention-ssl/make-certificates.sh: Syntax error: redirection unexpected
make-certificates.sh uses a bash only feature in line 438: done <<< "$NUM" The cronjob runs with /bin/sh and sources the file, which causes the error.
The problem is that the <<< redirection is supported only in bash, not in sh. The cronjob /etc/cron.daily/univention-ssl sources make-certificates.sh, which is written in bash (/bin/bash in hashbang), but the cronjob itself gets executed by sh. to solve this, we probably have to: * set '#! /bin/bash' in univention-ssl.cron.daily * set 'SHELL=/bin/bash' in /etc/crontab
Please remove the BASHism and convert it back to a POSIX script: index 5f0f97e8ca..97a51f212c 100755 --- a/base/univention-ssl/make-certificates.sh +++ b/base/univention-ssl/make-certificates.sh @@ -422,7 +422,7 @@ renew_cert () { revoke_cert () { local fqdn="${1:?Missing argument: common name}" - local cn NUM + local cn NUM line [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" if ! NUM="$(has_cert "$cn")" @@ -431,11 +431,12 @@ revoke_cert () { return 2 fi - while read line; do + for line in $NUM # IFS + do if is_valid "$line"; then openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${line}.pem" -passin pass:"$PASSWD" fi - done <<< "$NUM" + done gencrl }
https://help.univention.com/t/openvpn-crl-expired-no-client-access/9983 It seems to cause issues for the OpenVPN4ucs app as well
I applied the patch from philipp. Also, some code cleanup has been done. univention-ssl (12.0.0-13) b1b87964227d | Bug #47896 SSL: Silence shellcheck ea281d12c3ea | Bug #47896 SSL: Remove useless `cat` a83fb1cca468 | Bug #47896 SSL: Check `cd` for success 9f4581956a93 | Bug #47896 SSL: Fix local assignments 5a78849be02e | Bug #47896 SSL: Remove unused variable 4dd78d8516c1 | Bug #47896 SSL: Add missing quoting 8effe22da1a0 | Bug #47896 SSL: Replace `` by "$()" 56919503a1e3 | Bug #47896 SSL: Remove BASHism <<< univention-ssl (12.0.0-14) d8969c4468f8 | Bug #47896: changelog univention-ssl.yaml 898ec142f845 | Bug #47896: YAML Successful build Package: univention-ssl Version: 12.0.0-14A~4.3.0.201810181319 Branch: ucs_4.3-0 Scope: errata4.3-2
OK: apt-get install univention-ssl=12.0.0-16A~4.3.0.201810301145 FIXED: errata-announce univention-ssl.yaml OK: univention-ssl.yaml OK: ./debian/rules override_dh_auto_test FIXED: sh /etc/cron.daily/univention-ssl [4.3-2] d834519495 Bug #47896 ssl: Show error output again base/univention-ssl/debian/changelog | 6 ++++++ base/univention-ssl/debian/univention-ssl.cron.daily | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) Package: univention-ssl Version: 12.0.0-16A~4.3.0.201810301145 Branch: ucs_4.3-0 Scope: errata4.3-2 [4.3-2] 694e243957 Bug #44469: univention-ssl 12.0.0-16A~4.3.0.201810301145 doc/errata/staging/univention-ssl.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) OK: /var/log/syslog OK: chmod -x /usr/sbin/univention-certificate-check-validity ; sh /etc/cron.daily/univention-ssl
*** Bug 48025 has been marked as a duplicate of this bug. ***
<http://errata.software-univention.de/ucs/4.3/297.html>