First Last Prev Next    This bug is not in your last search results.
Bug 47974 - Failing /etc/ldap/dh_2048.pem renewal - LDAP server fails to start (after update to UCS-4.3)
Failing /etc/ldap/dh_2048.pem renewal - LDAP server fails to start (after upd...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Philipp Hahn
Jürn Brodersen
:
Depends on: 38685
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-15 12:18 CEST by Philipp Hahn
Modified: 2018-10-17 14:57 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.200
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Patch for Bug 38685 dropped in UCS 4.1 (4.02 KB, patch)
2018-10-15 13:47 CEST, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-10-15 12:18:48 CEST 
> management/univention-ldap/debian/univention-ldap-server.postinst:91:[ -f /etc/ldap/dh_2048.pem ] || cp /usr/share/univention-ldap/dh_2048.pem /etc/ldap/

For some unknown reason the file "/etc/ldap/sh_2048.pem" is empty, which prevents the LDAP server "slapd" from starting.
→ the test should be changed fom "-f" to "-s".

For some other yet unknown reason "/usr/share/univention-ldap/create-dh-parameter-files" creates empty files when called daily from "management/univention-ldap/conffiles/etc/cron.d/univention-ldap".

(I have the same on my test-VM)

# sh -x /usr/share/univention-ldap/create-dh-parameter-files
+ set -e
+ umask 022
+ ucr get ldap/tls/dh/paramfile
+ paramfile=/etc/ldap/dh_2048.pem
+ [ -n /etc/ldap/dh_2048.pem ]
+ mktemp
+ log=/tmp/root/tmp.Z9wyQMq9Xz
+ exec

# tail /var/mail/systemmail
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
........................................+...................++*++*++*++*++*++*
unable to write 'random state'
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................+....................................+...+.........................................................+....................................................................................+.............................................................................................................................................+.....+....................................................+.........................................................................+........................................++*++*
unable to write 'random state'
Comment 1 Philipp Hahn univentionstaff 2018-10-15 12:23:01 CEST 
> + openssl gendh -out /etc/ldap/dh_2048.pem.842miSJf2Z -2 2048
> Invalid command 'gendh'; type "help" for a list.

compare that with

> mail/univention-mail-postfix/share/create-dh-parameter-files.sh:openssl dhparam -out /etc/postfix/dh_512.pem.tmp -2 512
Comment 3 Arvid Requate univentionstaff 2018-10-15 13:47:40 CEST 
Created attachment 9698 [details]
Patch for Bug 38685 dropped in UCS 4.1
Comment 4 Philipp Hahn univentionstaff 2018-10-15 14:46:40 CEST 
From "man dhparam" from OpenSSL 1.1.0:
> The program dhparam combines the functionality of the programs dh and gendh in previous versions of OpenSSL. The dh and gendh programs are retained for now but may have different purposes in future versions of OpenSSL.

[4.3-2] b3bd3b33ee Bug #47974: Fix generating DH parameter file
 management/univention-ldap/debian/changelog              |  6 ++++++
 .../debian/univention-ldap-server.postinst               |  5 ++++-
 .../univention-ldap/scripts/create-dh-parameter-files    | 16 ++++++++++++----
 3 files changed, 22 insertions(+), 5 deletions(-)
[4.3-2] 73b3a36781 Bug #47974: Bump package version
 management/univention-ldap/debian/changelog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Package: univention-ldap
Version: 14.0.2-24A~4.3.0.201810151437
Branch: ucs_4.3-0
Scope: errata4.3-2

[4.3-2] fecc61cc59 Bug #47974: Fix generating DH parameter file YAML
 doc/errata/staging/univention-ldap.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)
Comment 7 Jürn Brodersen univentionstaff 2018-10-17 12:51:20 CEST 
What I tested:
Update -> OK
create-dh-parameter-files -> OK

YAML:
I changed the yaml description to be a little less technical.

[4.3-2 b3f074fab3] Bug #47974: Less technical yaml
Comment 8 Arvid Requate univentionstaff 2018-10-17 14:57:21 CEST 
<http://errata.software-univention.de/ucs/4.3/272.html>
First Last Prev Next    This bug is not in your last search results.