Can't activate UCS Core

UCS - Univention Corporate Server
#1

Hello everyone,

I have been trying to activate a new server that is to replace an old server. This server is UCS core edition 4.3. I can install the OS, but the license activation step fails.

When I enter my email into the activation textbox, I keep getting the error:
“The activation of UCS failed. Please re-try to perform the the activation again via the user menu in the top right.”

when I go to the page https://www.univention.com/downloads/license-models/licensing-conditions-ucs-core-edition/ I download the license, but I get the error
“The import of the license failed. Check the integrity of the original file given to you. If this error persists, please contact Univention or your Univention partner.”

Here is the corresponding section in my /var/log/univention/management-console-web-server.log

02.01.19 15:39:59.929  MAIN        ( PROCESS ) : SessionClient(0x7f31202b8ed0): _authenticated: success=True  status=200  message=None
02.01.19 15:39:59.929  MAIN        ( PROCESS ) : auth_type=None
02.01.19 15:40:19.540  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57344) response status code: 500
02.01.19 15:40:19.540  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57344) response message: An error occurred while contacting the license server: Connection refused
02.01.19 15:40:19.540  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57344) response result: None
02.01.19 15:40:19.540  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57344) response error: {'traceback': None, 'command': 'request_new_license'}
02.01.19 15:42:05.064  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57382) response status code: 500
02.01.19 15:42:05.064  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57382) response message: An error occurred while contacting the license server: Connection refused
02.01.19 15:42:05.064  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57382) response result: None
02.01.19 15:42:05.064  MAIN        ( PROCESS ) : CPCommand (150.156.193.1:57382) response error: {'traceback': None, 'command': 'request_new_license'}

It shouldn’t be a firewall issue as I am currently allowing all traffic to the server temporarily as a debugging method, as well as allowing all traffic out.

Does anyone have any thoughts? It looks like it could potentially be the Univention server blocking me? But if so, why would that be?

I would appreciate any assistance in this matter.

#2

I am pretty sure this is a network issue.

Check:

  • DNS resolution
  • Routing
  • Port forwarding ie for proxies
  • Port 80/443 availability (ie test with nmap)

/CV

#3

DNS is working on the server. It doesn’t have a public DNS record - but neither have any of the other Univention servers I have set up in the past. I’ve set up Univention Core many, many times - this is the first time I’ve gotten this issue.
The firewall allows everything out, and established traffic is allowed back in.
My coworker did an NMAP from his workplace and even there (which has stringent firewall rules) he could see port 80 and 443. I can access them from anywhere.

A trace route from my laptop via an LTE hotspot (which is part of why there’s so much network lag)

 1  172.20.10.1 (172.20.10.1)  7.901 ms  3.171 ms  132.114 ms
 2  172.26.96.169 (172.26.96.169)  174.949 ms  162.839 ms  133.555 ms
 3  172.18.242.252 (172.18.242.252)  176.639 ms
    172.18.242.228 (172.18.242.228)  63.030 ms
    172.18.242.252 (172.18.242.252)  47.460 ms
 4  * * *
 5  12.83.172.162 (12.83.172.162)  95.078 ms  82.955 ms  43.328 ms
 6  cgr1.n54ny.ip.att.net (12.122.131.85)  44.700 ms  100.518 ms  45.132 ms
 7  * * *
 8  et-0-0-65.cr3-was1.ip4.gtt.net (89.149.142.242)  85.273 ms  84.318 ms  61.015 ms
 9  ip4.gtt.net (173.205.47.226)  50.097 ms  46.312 ms  66.657 ms
10  ae0-0.cr02.cley01-oh.us.windstream.net (40.136.99.149)  52.245 ms  56.641 ms  48.923 ms
11  ae6-0.cr01.cley01-oh.us.windstream.net (40.138.81.196)  79.397 ms  93.075 ms  186.398 ms
12  h209.249.128.40.static.ip.windstream.net (40.128.249.209)  74.594 ms  96.226 ms  54.721 ms
13  169.130.167.189 (169.130.167.189)  60.970 ms  76.058 ms  45.594 ms
14  h114.76.131.40.static.ip.windstream.net (40.131.76.114)  54.803 ms  75.135 ms  119.262 ms
15  192.52.220.20 (192.52.220.20)  91.648 ms  84.999 ms  54.577 ms
16  192.52.220.194 (192.52.220.194)  58.878 ms  106.675 ms  70.299 ms
17  150.156.193.2 (150.156.193.2)  69.663 ms  195.280 ms  72.486 ms

We don’t have any proxies set up. Our router is a standard PFSense box. Since the IP address is in the trace route as the final hop (this is fine really as the OS is sandboxed and it’s supposed to have an external address anyhow), you are free to check it from your end.

To my knowledge, everything seems fine. I can even wget the Univention.com index.html page. That is why I’m very confused.

We do have a free license for another server that uses the same base domain, would that cause a conflict?

#4

Hi,

Ehmmm… you are doing a traceroute from a different system and a nmap from a third system to verify the UCS has proper network access??? Why are you not doing these commands on the UCS server? There you should check if networking is fine…

We are not interested in connection TO the UCS system but FROM the UCS to the univention system…

/CV

#5

I apologize, considering I had been able to do things like system updates, DNS queries, pings, etc from the system, my first thought was to check if things could properly come back IN. It was a bit of a misunderstanding.

Here are the results of trace route, ping, and nmap from the affected device, to univention.com

# traceroute 78.47.5.12
traceroute to 78.47.5.12 (78.47.5.12), 30 hops max, 60 byte packets
 1  150.156.193.1 (150.156.193.1)  0.255 ms  0.174 ms  0.126 ms
 2  192.52.220.193 (192.52.220.193)  0.490 ms  0.428 ms  0.488 ms
 3  192.52.220.2 (192.52.220.2)  0.714 ms  0.667 ms  0.618 ms
 4  h113.76.131.40.static.ip.windstream.net (40.131.76.113)  6.869 ms  6.837 ms  6.792 ms
 5  xe1-1-1-0.agr03.roch01-ny.us.windstream.net (169.130.167.186)  6.847 ms  6.808 ms  6.768 ms
 6  h4.248.128.40.static.ip.windstream.net (40.128.248.4)  14.085 ms  14.158 ms  14.081 ms
 7  xe-0-0-11-3.a00.nycmny13.us.bb.gin.ntt.net (129.250.193.157)  14.891 ms  14.855 ms  14.815 ms
 8  ae-4.r07.nycmny01.us.bb.gin.ntt.net (129.250.6.66)  14.779 ms  14.462 ms  14.409 ms
 9  ae-2.r25.nycmny01.us.bb.gin.ntt.net (129.250.3.97)  15.579 ms  15.536 ms ae-3.r25.nycmny01.us.bb.gin.ntt.net (129.250.6.208)  15.489 ms
10  ae-9.r24.frnkge08.de.bb.gin.ntt.net (129.250.2.5)  97.605 ms  99.880 ms  97.591 ms
11  ae-13.r03.frnkge03.de.bb.gin.ntt.net (129.250.6.207)  104.843 ms  98.843 ms  104.754 ms
12  213.198.82.130 (213.198.82.130)  98.595 ms  98.562 ms  98.518 ms
13  core11.nbg1.hetzner.com (213.239.252.22)  102.073 ms  102.020 ms core12.nbg1.hetzner.com (213.239.252.26)  102.037 ms
14  ex9k2.dc1.nbg1.hetzner.com (213.239.203.214)  101.973 ms ex9k2.dc1.nbg1.hetzner.com (213.239.203.218)  102.892 ms ex9k2.dc1.nbg1.hetzner.com (213.239.203.214)  101.959 ms
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
# ping univention.com
PING univention.com (78.47.5.12) 56(84) bytes of data.
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=1 ttl=52 time=95.7 ms
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=2 ttl=52 time=95.7 ms
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=3 ttl=52 time=95.7 ms
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=4 ttl=52 time=95.6 ms
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=5 ttl=52 time=95.7 ms
64 bytes from dedi2924.your-server.de (78.47.5.12): icmp_seq=6 ttl=52 time=95.7 ms
^C
--- univention.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 95.697/95.767/95.798/0.401 ms

# nmap -sV -vv --version-trace univention.com

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-04 14:33 EST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 14:33
Scanning univention.com (78.47.5.12) [4 ports]
Packet capture filter (device ens18): dst host 150.156.193.2 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 78.47.5.12)))
We got a ping packet back from 78.47.5.12: id = 38222 seq = 0 checksum = 27313
Completed Ping Scan at 14:33, 0.22s elapsed (1 total hosts)
Overall sending rates: 17.85 packets / s, 678.32 bytes / s.
mass_rdns: Using DNS server 150.156.193.2
Initiating Parallel DNS resolution of 1 host. at 14:33
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 14:33, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:33
Scanning univention.com (78.47.5.12) [1000 ports]
Packet capture filter (device ens18): dst host 150.156.193.2 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 78.47.5.12)))
Discovered open port 443/tcp on 78.47.5.12
Discovered open port 21/tcp on 78.47.5.12
Discovered open port 110/tcp on 78.47.5.12
Discovered open port 143/tcp on 78.47.5.12
Discovered open port 995/tcp on 78.47.5.12
Discovered open port 22/tcp on 78.47.5.12
Discovered open port 25/tcp on 78.47.5.12
Discovered open port 80/tcp on 78.47.5.12
Discovered open port 587/tcp on 78.47.5.12
Discovered open port 993/tcp on 78.47.5.12
Discovered open port 3306/tcp on 78.47.5.12
Increased max_successful_tryno for 78.47.5.12 to 1 (packet drop)
Increasing send delay for 78.47.5.12 from 0 to 5 due to 11 out of 30 dropped probes since last increase.
Increased max_successful_tryno for 78.47.5.12 to 2 (packet drop)
Increased max_successful_tryno for 78.47.5.12 to 3 (packet drop)
Increasing send delay for 78.47.5.12 from 5 to 10 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 78.47.5.12 from 10 to 20 due to 11 out of 19 dropped probes since last increase.
SYN Stealth Scan Timing: About 23.64% done; ETC: 14:35 (0:01:40 remaining)
Discovered open port 465/tcp on 78.47.5.12
Increased max_successful_tryno for 78.47.5.12 to 4 (packet drop)
Increasing send delay for 78.47.5.12 from 20 to 40 due to max_successful_tryno increase to 4

I cancelled the nmap after a few moments once I confirmed that, indeed, I could see ports 80, 443, and other relevant ports.

#6

I really hate to bump, but, I am still having this issue and could still use help.

#7

i have the same problem, fix this bug

why dont u make this license more easy

#8

I had the same problem with the license. I wanted to import the license but the registration button would not disappear.
When trying to install an app from the App Center I would get the: You must first register before etc.

The solution was simple in my case, just copy and paste the license in the UCS license import screen instead of import from file. That did the trick!

Mastodon