Bug 48025 – crl-update fails through cron

Bug 48025 - crl-update fails through cron


Summary:	crl-update fails through cron

Status:	CLOSED DUPLICATE of bug 47896

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Philipp Hahn
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-10-19 15:12 CEST by Christian Völker
Modified:	2018-11-07 09:27 CET (History)
CC List:	5 users (show)

See Also:	47896
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018101921000605
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Völker

2018-10-19 15:12:02 CEST

Customer sees following in logfiles:

run-parts: /etc/cron.daily/univention-ssl exited with return code 2
/etc/cron.daily/univention-ssl-crl-update:
Using configuration from /etc/univention/ssl/openssl.cnf
ca: Error on line 32 of config file "/etc/univention/ssl/openssl.cnf"
140422915728640:error:0E065068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:519:line 32
/etc/cron.daily/univention-ssl-crl-update: line 25: echo: No such file or directory
run-parts: /etc/cron.daily/univention-ssl-crl-update exited with return code 1

This happened since https://forge.univention.org/bugzilla/show_bug.cgi?id=41013 has been applied on customer'S server.

Comment 1 Christian Völker

2018-10-19 15:13:55 CEST

Workaround available:

--- /root/univention-ssl-crl-update     2018-10-19 14:41:07.420393123 +0200
+++ ./univention-ssl-crl-update 2018-10-19 14:46:21.217069038 +0200
@@ -1,8 +1,16 @@
#!/bin/bash
+set -x
 
#update crl in case of getting invalid after 30 days
#Univention [Ticket#2014082721000898]
 
+#use UCR values in /etc/univention/ssl/openssl.cnf
+#default_crl_days    = $ENV::DEFAULT_CRL_DAYS
+#default_md          = $ENV::DEFAULT_MD
+
+export DEFAULT_CRL_DAYS=$(ucr shell ssl/crl/validity | awk -F= '{ print $2 }')
+export DEFAULT_MD=$(ucr shell ssl/default/hashfunction | awk -F= '{ print $2 }')
+
nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"
 
today="$(date -u '+%s')"

Comment 2 Philipp Hahn

2018-10-30 15:58:03 CET

Probably not a product bug, as the script if not part of UCS.
Probably a duplicate of Bug #47896.
Waiting for feedback from customer.

Comment 3 Stephan Hendl 2018-10-30 16:29:34 CET

Well, the script was originally written by Janis Meybohm from Univention staff some years ago. If "/etc/cron.daily/univention-ssl" does the same - we can ignore the other one.

Comment 4 Philipp Hahn

2018-10-30 16:37:19 CET

(In reply to Stephan Hendl from comment #3)
> Well, the script was originally written by Janis Meybohm from Univention
> staff some years ago. If "/etc/cron.daily/univention-ssl" does the same - we
> can ignore the other one.

The functionality to update the CRL is now part of "/etc/cron.daily/univention-ssl" and the update interval in days can be configured through the UCRV "ssl/crl/interval".
As the package currently has a bug, I close this bug as a duplicate of Bug #47896

*** This bug has been marked as a duplicate of bug 47896 ***

Comment 5 Stefan Gohmann

2018-11-07 09:26:51 CET

OK

Comment 6 Stefan Gohmann

2018-11-07 09:27:06 CET

Nothing to release