Univention Bugzilla – Bug 47974
Failing /etc/ldap/dh_2048.pem renewal - LDAP server fails to start (after update to UCS-4.3)
Last modified: 2018-10-17 14:57:21 CEST
> management/univention-ldap/debian/univention-ldap-server.postinst:91:[ -f /etc/ldap/dh_2048.pem ] || cp /usr/share/univention-ldap/dh_2048.pem /etc/ldap/ For some unknown reason the file "/etc/ldap/sh_2048.pem" is empty, which prevents the LDAP server "slapd" from starting. → the test should be changed fom "-f" to "-s". For some other yet unknown reason "/usr/share/univention-ldap/create-dh-parameter-files" creates empty files when called daily from "management/univention-ldap/conffiles/etc/cron.d/univention-ldap". (I have the same on my test-VM) # sh -x /usr/share/univention-ldap/create-dh-parameter-files + set -e + umask 022 + ucr get ldap/tls/dh/paramfile + paramfile=/etc/ldap/dh_2048.pem + [ -n /etc/ldap/dh_2048.pem ] + mktemp + log=/tmp/root/tmp.Z9wyQMq9Xz + exec # tail /var/mail/systemmail Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ........................................+...................++*++*++*++*++*++* unable to write 'random state' Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...........................................+....................................+...+.........................................................+....................................................................................+.............................................................................................................................................+.....+....................................................+.........................................................................+........................................++*++* unable to write 'random state'
> + openssl gendh -out /etc/ldap/dh_2048.pem.842miSJf2Z -2 2048 > Invalid command 'gendh'; type "help" for a list. compare that with > mail/univention-mail-postfix/share/create-dh-parameter-files.sh:openssl dhparam -out /etc/postfix/dh_512.pem.tmp -2 512
Created attachment 9698 [details] Patch for Bug 38685 dropped in UCS 4.1
From "man dhparam" from OpenSSL 1.1.0: > The program dhparam combines the functionality of the programs dh and gendh in previous versions of OpenSSL. The dh and gendh programs are retained for now but may have different purposes in future versions of OpenSSL. [4.3-2] b3bd3b33ee Bug #47974: Fix generating DH parameter file management/univention-ldap/debian/changelog | 6 ++++++ .../debian/univention-ldap-server.postinst | 5 ++++- .../univention-ldap/scripts/create-dh-parameter-files | 16 ++++++++++++---- 3 files changed, 22 insertions(+), 5 deletions(-) [4.3-2] 73b3a36781 Bug #47974: Bump package version management/univention-ldap/debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-ldap Version: 14.0.2-24A~4.3.0.201810151437 Branch: ucs_4.3-0 Scope: errata4.3-2 [4.3-2] fecc61cc59 Bug #47974: Fix generating DH parameter file YAML doc/errata/staging/univention-ldap.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+)
What I tested: Update -> OK create-dh-parameter-files -> OK YAML: I changed the yaml description to be a little less technical. [4.3-2 b3f074fab3] Bug #47974: Less technical yaml
<http://errata.software-univention.de/ucs/4.3/272.html>