Univention Bugzilla – Bug 50770
Bug or Feature? Shortname vs. FQDN in https:// Requests
Last modified: 2020-03-24 09:05:48 CET
Customer installed for some reason wildcard certificates in Apache on all his UCS servers. Thus, all https:// requests used this wildcard certificate. Now there is an issue if the hostname (short) is not mentioned in the certificate as subject alternate name: "slave" does not match to "*.local.domain.com" Thus, curl reports an error: ================================== root@ucs:~# curl https://slave curl: (51) SSL: no alternative certificate subject name matches target host name 'slave' ================================== Using fqdn it works fine: ================================== root@ucs:~# curl https://slave.local.domain.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://slave.domain.com/univention/">here</a>.</p> <hr> <address>Apache/2.4.25 (Univention) Server at slave.domain.com Port 443</address> </body></html> ================================== So using the shortname is some sort of security enhancement as it verifies if the hostname is mentioned in the certificate. Otherwise we can prevent issues on the customers using wildcards by simply using fqdn which is much more secure...
*** Bug 50855 has been marked as a duplicate of this bug. ***
I had to change the frontend to use the fqdn instead of the hostname on different locations. The backend code had to be adapted as well. It should be backwards compatible to other ucs versions, which is important for the global app center to work. 46bf9b3e51 (HEAD -> 4.4-3) Bug #50770: yaml 0631187a09 (origin/4.4-3) Bug #50770: yaml bbde3beeab Revert "Bug #50770: yaml" 458b09de46 Bug #50770: yaml 5a46cbc386 Bug #50770: changelog cacccce973 Bug #50770: fix global appcenter for wildcard ssl certificates
80_docker.88_docker_env_file fails with 20-03-16 05:29:04.520367) Traceback (most recent call last): (2020-03-16 05:29:04.520454) File "88_docker_env_file", line 64, in <module> (2020-03-16 05:29:04.520517) assert ('TEST_HOSTNAME=%s' % ucr.get('hostname')) in env_container, env_container (2020-03-16 05:29:04.520590) AssertionError: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin (2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed (2020-03-16 05:29:04.520616) HOME=/root (2020-03-16 05:29:04.520640) could this related to this bug?, please have look
(In reply to Felix Botner from comment #3) > 80_docker.88_docker_env_file fails with > > 20-03-16 05:29:04.520367) Traceback (most recent call last): > (2020-03-16 05:29:04.520454) File "88_docker_env_file", line 64, in > <module> > (2020-03-16 05:29:04.520517) assert ('TEST_HOSTNAME=%s' % > ucr.get('hostname')) in env_container, env_container > (2020-03-16 05:29:04.520590) AssertionError: > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > (2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed > (2020-03-16 05:29:04.520616) HOME=/root > (2020-03-16 05:29:04.520640) > > could this related to this bug?, please have look no, nothing todo with this bug, problem is the following, the test uses 'univention-app', 'shell', name, 'env' to get the container env, and univention-app uses appcenter/apps/APP_ID/container as container id for the main service, but during create this variable can be set to the wrong container is the services using the same image
(In reply to Felix Botner from comment #4) > (In reply to Felix Botner from comment #3) > > 80_docker.88_docker_env_file fails with > > > > 20-03-16 05:29:04.520367) Traceback (most recent call last): > > (2020-03-16 05:29:04.520454) File "88_docker_env_file", line 64, in > > <module> > > (2020-03-16 05:29:04.520517) assert ('TEST_HOSTNAME=%s' % > > ucr.get('hostname')) in env_container, env_container > > (2020-03-16 05:29:04.520590) AssertionError: > > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > > (2020-03-16 05:29:04.520607) HOSTNAME=a5c315d266ed > > (2020-03-16 05:29:04.520616) HOME=/root > > (2020-03-16 05:29:04.520640) > > > > could this related to this bug?, please have look > > no, nothing todo with this bug, problem is the following, > > the test uses > 'univention-app', 'shell', name, 'env' > to get the container env, and univention-app uses > appcenter/apps/APP_ID/container as container id for the main service, but > during create this variable can be set to the wrong container is the > services using the same image see Bug #50969
* OK - global App install from New on OLD (host: FQDN) * OK - global App install from OLD on NEW * OK - global App install from New on NEW (host: FQDN) * OK - local App install * OK - yaml
<http://errata.software-univention.de/ucs/4.4/485.html>