IDP metadata - univention-run-join-scripts


#1

Hello,
While trying to run univention-run-join-scripts the following packages remains pending; leaving unset umc/saml/idp-server and exit failing:

                    65univention-ox
                    92univention-management-console-web-server

[code]Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443… connected.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' is not trusted. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ hasn’t got a known issuer.
The certificate’s owner does not match hostname ucs-sso.MYDOMAIN.com' --2015-11-20 12:01:00-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)... NOT-LOCAL-IPADDRESS Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443... connected. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ is not trusted.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' hasn't got a known issuer. The certificate's owner does not match hostnameucs-sso.MYDOMAIN.com
–2015-11-20 12:01:01-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php
Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)… NOT-LOCAL-IPADDRESS
Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443… connected.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' is not trusted. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ hasn’t got a known issuer.
The certificate’s owner does not match hostname ucs-sso.MYDOMAIN.com' --2015-11-20 12:01:03-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)... NOT-LOCAL-IPADDRESS Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443... connected. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ is not trusted.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' hasn't got a known issuer. The certificate's owner does not match hostnameucs-sso.MYDOMAIN.com
–2015-11-20 12:01:04-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php
Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)… NOT-LOCAL-IPADDRESS
Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443… connected.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' is not trusted. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ hasn’t got a known issuer.
The certificate’s owner does not match hostname ucs-sso.MYDOMAIN.com' --2015-11-20 12:01:05-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)... NOT-LOCAL-IPADDRESS Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443... connected. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ is not trusted.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' hasn't got a known issuer. The certificate's owner does not match hostnameucs-sso.MYDOMAIN.com
–2015-11-20 12:01:07-- https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php
Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)… NOT-LOCAL-IPADDRESS
Connecting to ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)|NOT-LOCAL-IPADDRESS|:443… connected.
ERROR: The certificate of ucs-sso.MYDOMAIN.com' is not trusted. ERROR: The certificate ofucs-sso.MYDOMAIN.com’ hasn’t got a known issuer.
The certificate’s owner does not match hostname `ucs-sso.MYDOMAIN.com
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Create umc/saml/idp-server
Module: ox-config
Module: setup_saml_sp
Try to download idp metadata (1/60)
Try to download idp metadata (2/60)
Try to download idp metadata (3/60)
Try to download idp metadata (4/60)
Try to download idp metadata (5/60)
Try to download idp metadata (6/60)
Try to download idp metadata (7/60)
Try to download idp metadata (8/60)
Try to download idp metadata (9/60)
Try to download idp metadata (10/60)
Try to download idp metadata (11/60)
Try to download idp metadata (12/60)
Try to download idp metadata (13/60)
Try to download idp metadata (14/60)
Try to download idp metadata (15/60)
Try to download idp metadata (16/60)
Try to download idp metadata (17/60)
Try to download idp metadata (18/60)
Try to download idp metadata (19/60)
Try to download idp metadata (20/60)
Try to download idp metadata (21/60)
Try to download idp metadata (22/60)
Try to download idp metadata (23/60)
Try to download idp metadata (24/60)
Try to download idp metadata (25/60)
Try to download idp metadata (26/60)
Try to download idp metadata (27/60)
Try to download idp metadata (28/60)
Try to download idp metadata (29/60)
Try to download idp metadata (30/60)
Try to download idp metadata (31/60)
Try to download idp metadata (32/60)
Try to download idp metadata (33/60)
Try to download idp metadata (34/60)
Try to download idp metadata (35/60)
Try to download idp metadata (36/60)
Try to download idp metadata (37/60)
Try to download idp metadata (38/60)
Try to download idp metadata (39/60)
Try to download idp metadata (40/60)
Try to download idp metadata (41/60)
Try to download idp metadata (42/60)
Try to download idp metadata (43/60)
Try to download idp metadata (44/60)
Try to download idp metadata (45/60)
Try to download idp metadata (46/60)
Try to download idp metadata (47/60)
Try to download idp metadata (48/60)
Try to download idp metadata (49/60)
Try to download idp metadata (50/60)
Try to download idp metadata (51/60)
Try to download idp metadata (52/60)
Try to download idp metadata (53/60)
Try to download idp metadata (54/60)
Try to download idp metadata (55/60)
Try to download idp metadata (56/60)
Try to download idp metadata (57/60)
Try to download idp metadata (58/60)
Try to download idp metadata (59/60)
Try to download idp metadata (60/60)
Could not download IDP metadata for https://ucs-sso.MYDOMAIN.com/simplesamlphp/saml2/idp/metadata.php
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Unsetting umc/saml/idp-server
Module: ox-config
Module: setup_saml_sp
Module: ox-config
EXITCODE=3

Fri Nov 20 12:01:08 EST 2015
univention-run-join-scripts finished[/code]

Rolando Riley


Join script bei Update auf UCS 4.1 fehlgeschlagen
#2

Hello,

Did you have the SAML App installed before upgrading to UCS 4.1?
Is your server clock correct?
Please retry to execute the joinscripts using the Domain Join UMC module.
If this doesn’t help please check your SSL certificates for validiy. You can generate new certificates by using the certificates UMC module plus a forces reexecution of the joinscript 91univention-saml.inst.

If you are e.g. in a EC2 cloud please consider:
sdb.univention.de/1352


#3

HI,
We didn’t have/use this App installed before 4.1 . This server is primary function is just email. Can we remove it to solve the problem? .

Rolando


#4

Which server-role does the system has?
You can set the values manually without doing a certificate check but make sure nobody is attacking you currently via a MITM attack:

eval "$(ucr shell)"
ucr set umc/saml/idp-server="https://ucs-sso.$domainname/simplesamlphp/saml2/idp/metadata.php"
wget -O "/usr/share/univention-management-console/saml/idp/ucs-sso.$domainname.xml" --no-check-certificate "https://ucs-sso.$domainname/simplesamlphp/saml2/idp/metadata.php"
ucr commit /etc/pam.d/univention-management-console
ucr commit /etc/ldap/sasl2/slapd.conf
univention-run-join-scripts

#5

It is a DC Master; but we really use this server just for email purposes thats all.

This service is very foreign to me. And it is try to resolve a name that hasn’t been set either … which generate this problem.

===
–2015-11-23 16:58:09-- ucs-sso.MYDOMAIN.com/simplesaml … tadata.php
Resolving ucs-sso.MYDOMAIN.com (ucs-sso.MYDOMAIN.com)… failed: Name or service not known.

     stdout  is the same as my initial post.  It fails trying to download IDP metadata due to a bad name resolution.


     Can we just get rid of SAML.  Will it affect our email system?  (LDAP, MYSQL, CYRUS)

Rolando


#6

Currently it is not possbile to remove SAML. I created [bug]40075[/bug] for this functionality.
The hostname ucs-sso.$domainname should be resolvable. An DNS A record for it should have been created in the joinscript 91univention-saml.inst
Please execute the following command to (re)create it and execute the failed joinscripts again:

IP="INSERT_THE_IP_OF_YOUR_DC_MASTER_HERE"
eval "(ucr shell)"
/usr/share/univention-directory-manager-tools/univention-dnsedit --ignore-exists "ucs-sso.$domainname" add a "ucs-sso.$domainname" "$IP"
nscd -i hosts

#7

usr/share/univention-directory-manager-tools/univention-dnsedit --ignore-exists “ucs-sso.$domainname” add a “ucs-sso.$domainname” “$IP”
E: Zone ucs-sso. does not exist.

     I will try adding this hostname into   zone   domainname.com  via Web Console.

Rolando


#8

Oh, my fault. There was a $ missing in the command. But yes, it can also be added via Univention Management Console.

IP="INSERT_THE_IP_OF_YOUR_DC_MASTER_HERE"
eval "$(ucr shell)"
/usr/share/univention-directory-manager-tools/univention-dnsedit --ignore-exists "ucs-sso.$domainname" add a "ucs-sso.$domainname" "$IP"
nscd -i hosts

#9

FIXED! . All commands needs to be performed. ucs-sso.$domainname needs to be able to resolv for whatever you have configured DNS on /etc/resolv.conf . All commands needs to be performed.

Thanks,

Rolando Riley


#10

Nice to hear that it works now :slight_smile:


#11

Hi,
I had the same problem and I could (apparently) run the join scripts - there are no scripts shown as pending.

I had to manually add ucs-sso.MYDOMAIN to the DNS, then execute the script from IDP metadata - univention-run-join-scripts.

However, there are still errors while executing these commands.

[quote]ucr set umc/saml/idp-server=“https://ucs-sso.$domainname/simplesamlphp/saml2/idp/metadata.php”[/quote] is yelling about certificate errors (as shown in the first post in this thread) - certificate is not trusted, it had been issued by an unknown publisher and it doesn’t match the hostname.

[quote]wget -O …[/quote] only warns about the certificate problems, but then, for the HTTP request, there’s a “404 Not Found” error.

So, is there anything I should do here? Or can I ignore the described problems?


#12

Hello Jeff,

if no scripts are shown as pending and if you can make a single sign on login via your.server/univention-management-console/saml/ everything is fine!
Otherwise additional steps are required.