Hi,
We are not yet completely ready for 5.2 updated but I’m seeing this notification in the “Software Update”:
The currently installed release version is 5.0-9 errata1213. Further release updates are available but cannot be installed. Component 'cool-solutions' is not yet available for newer release versions.
Yes, we are using cool-solutions for user and machine certificates. It is rather handy, so we wouldn’t wan to lose it.
Is there any plan for cool-solutions to support 5.2?
We are working on this with low priority. It may take a few more weeks.
Thanks for a prompt response, at least we know it is being work on.
We can easily wait a couple more months, if needs be. Especially reading about various issues people are having migrating to 5.2
which cool solution are you actually using?
Usercert is the main one.
Hi Best,
Yes, as pp303 mentioned, univention-usercert is the main one. I don’t have access to the environment right now but if I remember correctly we also had univention-windowscert installed.
I am also waiting for usercert
Is there an update on this?
Hi @jmeier,
Does the update of tags in this article mean the cool-solution repo is getting updated?
Github repo hasn’t changed yet, so I wonder how far are we still from cool-solution on 5.2.
Changing the Tags does mean, the cool-solution user-cert adjustments are prepared for 5.2 - while we are at the moment in internal QA. Github will be updated if the QA is finally done.
We plan to do some more preparation for other cool-solutions as well, so that we can release them together as a “bulk” in the next weeks.
Is there an update on this?
Been wandering the same thing. Was meant to be few weeks, and we are getting well beyond that point.
Any update on the cool-solution repo will be greatly received.
PS. I know, I know cool-solutions are not maintained and there never was any guaranty they will be continued. However, some provide ‘basic’ functionality and really should be incorporated into the UCS core.
I am getting the same response. Is there a solution for this?
“The update to UCS 5.1-0 is blocked because the component ‘cool-solutions’ is marked as required.”
well, while waiting for this to get updated, I got some of my user certificates expire, and my ucsCA is also coming up for renewal… so I was forced to fix it myself.
this is what I did:
my situation was, and assuming at this point it is the same for you, that in order to update to UCS5.2, you uninstalled the cool-solutions repo.
once successfully updated, I tried to add back the cool-solutions repo, which works.
But installing the univention-usercert and univention-windowscert does not work as UCS5.2 is missing the old python 2.7 as dependency.
even if you had these packages installed from before the update, these scripts did not seem to work anymore after upgrading.
To fix it, this is what I did:
wget https://updates.software-univention.de/5.0/unmaintained/component/cool-solutions/all/univention-usercert_5.0.0-4A~5.0.0.202303221056_all.deb
wget https://updates.software-univention.de/5.0/unmaintained/component/cool-solutions/all/univention-ldap-usercert_5.0.0-4A~5.0.0.202303221056_all.deb
wget https://updates.software-univention.de/5.0/unmaintained/component/cool-solutions/all/univention-windowscert_5.0.0-4A~5.0.0.202303221056_all.deb
dpkg-deb -R univention-usercert_5.0.0-4A~5.0.0.202303221056_all.deb tmp
The last command unpacks the deb file into ./tmp directory
I edited the ./tmp/DEBIAN/control file and removed the python 2.7 depency and also edited and removed the checksums from ./tmp/DEBIAN/md5sums file.
to repackage the content into a deb file, do:
dpkg-deb -b tmp univention-usercert-fixed.deb
repeat the same steps for the windowscert.deb package as well.
then to install, first remove the old packages, if you still have it installed from before and reinstall the fixed ones after the reinstalling the unmodified univention-ldap-usercert_5.0.0-4A~5.0.0.202303221056_all.deb
apt purge univention-ldap-usercert_5.0.0-4A~5.0.0.202303221056_all.deb univention-usercert_5.0.0-4A~5.0.0.202303221056_all.deb univention-windowscert_5.0.0-4A~5.0.0.202303221056_all.deb
dpkg -i univention-ldap-usercert_5.0.0-4A~5.0.0.202303221056_all.deb ./univention-usercert-fixed.deb ./univention-windowscert-fixed.deb
For me, the above worked, and now renewal of user and windows certificates as well as the whole ssl chain worked. Caution: YMMV
Also check that the associated install scripts run ok, to test it I uninstalled reinstalled it multiple times, and seems to work OK.
I did the installation step on both the primary and backup nodes
Be sure to make snapshot or full backup just in case something happens.
Also not sure what will happen when Univention releases their version, for now I removed the cool-solutions repo.
Great hack @lleo, unfortunately this is just a hack. I wouldn’t mind using this at home but when I have a whole domain with active users at stake I’m unlikely to risk it.
My boss would definitely reject change request if I’d explain to him that this will involve simple .deb modification 
@Best @peichert Gents, above is working solution, any chance this could be looked at and implemented? Have you got any update as to when the cool-solution repo will be released?
ps. Can someone tell me if/how could we achieve the cool-solution user cert with command line in UCS5.2?
Is there a simple way to get certs created without the univention-certs app?
We’ve been delaying the upgrade to 5.2 for much too long now. All is ready, with Keycloak etc, and we need the Debian 12 to move to compliant.
I understand your concern and appreciate it.
Still, note to your boss that the original package files are not signed or protected, hence we are able to modify them.
Also study their content, as in essence all it installs is a bash script. All the commands used from the interface are in there…
On the question why Univention does not fix it, as it probably would not take much effort, have some thoughts but does not belong here
Don’t use the UCS 5.0 cool solutions in UCS 5.2! They will break things as there have been slight API changes in UDM.
The Professional Services department is currently working on making them ready for UCS 5.2.
Thanks Best, unfortunately I was expecting that.
In the meantime, would you be able to let us know how to use command line to get user/machine cert in absence of univention-cert app?
I’m looking at the /usr/share/univention-ssl/make-certificates-user.sh but I can’t locate how to create a user (LDAP linked) cert request.
should be doable with:
univention-ldapsearch -LLL '(&(objectClass=person)(uid=USERNAME))' userCertificate | ldapsearch-decode64
I have no system to test it.
And I am away for 10 days in vacation now.