Join-script error after installing Wordpress

tpfann · May 17, 2018, 3:22pm

Hi @ll,

after installing Wordpress, i got this error from the dependening join-script (50wordpress.inst):

univention-run-join-scripts started
Do 17. Mai 16:55:18 CEST 2018

RUNNING 50wordpress.inst
2018-05-17 16:55:22.156154900+02:00 (in joinscript_init)
Object exists: cn=services,cn=univention,dc=cxxxx,dc=intranet
Object exists: cn=Wordpress,cn=services,cn=univention,dc=cxxxx,dc=intranet
WARNING: cannot append Wordpress to service, value exists
No modification: cn=CXXXX-UCS,cn=dc,cn=computers,dc=cxxxx,dc=intranet
Object exists: (group) : wordpress-editors
Object exists: (group) : wordpress-authors
Object exists: (group) : wordpress-contributors
Object exists: (group) : wordpress-subscribers
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
EXITCODE=51

Do 17. Mai 16:55:32 CEST 2018
univention-run-join-scripts finished

My UCS iinstallation is 4.3-0 errata83:
Any idea where i can find some more information for the root cause or how this can be fixed?

Any hint would be much appreciated.

tpfann · May 18, 2018, 1:39pm

while investigating for EXITCODE=51 I came across this posting:

As I’m using a LetsEncrypt certificate as well, I’m wondering if the root cause for my issues could be the same as described in the above post. How can I find out?

botner · May 22, 2018, 8:43am

Hi,

yes, it seems that the wordpress join-script is not “LetsEncrypt” ready at the moment.

curl -s -X POST \
                --cacert /etc/univention/ssl/ucsCA/CAcert.pem \
                -d "language=$wp_language" \
                https://$(hostname -f)/wordpress/wp-admin/install.

we have to fix that in the join script.

Workaround (untested), please remove the “–cacert /etc/univention/ssl/ucsCA/CAcert.pem” from all curl calls in the join script and run univention-run-join-scripts (i am not sure but i think the letsenrypt app puts the root certificate into the global certificate store by now)

best regards,
Felix

tpfann · May 22, 2018, 10:58am

Hi Felix,

thx for your feedback and the provided workaround solution.
As the issue seems less critical at the moment, I’ll wait for the fixed script.

Best regards,
Thomas

botner · May 23, 2018, 12:47pm

OK, i modified the wordpress join script (removed --cacert from the curl calls). Join works with the standard UCS root ca (as use registers the root ca in the global ca store, lets hope the letsencrypt app does the same).

Please remove and re-install the app

on the command line:

univention-app remove wordpress
univention-app update
univention-app install wordpress

best regards,
Felix

tpfann · May 23, 2018, 1:25pm

Hi Felix,

that was quick, thx for this - will give it a try later.
Just wondering if this is already the final fix or just a temporary solution?

Best regards
Thomas

botner · May 24, 2018, 9:21am

Hi,

this should be the final fix for the wordpress app (rely on the global certificates store rather than specify the --cacert curl paramater).

The letsenrypt App also stores its root ca certificates in the global certificates store (i havn’t actually tested this, but i have been told that indeed this is the case ), so we should be good

Best regards,
Felix

tpfann · May 28, 2018, 7:27am

Hi Felix,

followed your above instructions:

After this, the same (!) Wordpress installation (including the already edited content) as before came up again?! The script (50wordpress.inst) ran into the same error again.

Did I missed somehing, e.g. manually remove docker-container, reboot the machine or something else?

Best regards
Thomas

botner · May 28, 2018, 9:24am

After this, the same (!) Wordpress installation

that is normal, the wordpress files are in a docker volume (a directory mapped to the docker host) and the data/config in a database on the host, both are not removed and are reused.

But the join script 50wordpress.inst should be the new one, can you post this file?

Best regards,
Felix

tpfann · May 28, 2018, 10:21am

Hi Felix,

here comes the script:

50wordpress.inst.txt (6.2 KB)

Files was taken from /usr/lib/univention-install

Join-Protokoll (still Exit-Code 51):

univention-run-join-scripts started
Mo 28. Mai 09:18:34 CEST 2018

RUNNING 50wordpress.inst
2018-05-28 09:18:39.579141869+02:00 (in joinscript_init)
Object exists: cn=services,cn=univention,dc=cxxxx,dc=intranet
Object exists: cn=Wordpress,cn=services,cn=univention,dc=cxxxx,dc=intranet
WARNING: cannot append Wordpress to service, value exists
No modification: cn=Cxxxx-UCS,cn=dc,cn=computers,dc=cxxxx,dc=intranet
Object exists: (group) : wordpress-editors
Object exists: (group) : wordpress-authors
Object exists: (group) : wordpress-contributors
Object exists: (group) : wordpress-subscribers
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
EXITCODE=51

Mo 28. Mai 09:18:51 CEST 2018
univention-run-join-scripts finished

Best regards
Thomas

botner · May 29, 2018, 2:47pm

OK, my initial analysis was wrong, the problem is not the certificate in the wordpress container but that fact, that the wordpress join script (executed on the host) wants to establish a https connection to the system with the UCS hostname (curl https://$UCS_HOSTNAME/wordpress/setup…).
This fails with letsenrypt because the apache is using the new cert which is only valid for the external DNS name (the name letsenrypt is using) not the actual hostname of the system.

Quick fix is to use http://localhost instead of https://$(hostname -f) in the join script (should be ok from a security standpoint, because of localhost). This is now changed in the wordpress app.

Could you try again (remove, update, install) and let me know if this works now?

Real fix is to change the letsenrypt app. The apache SSL configuration should use the letsenrypt certificate only for the external DNS name (virtual host) not for the real system name.

Best regards,
Felix

tpfann · May 29, 2018, 3:11pm

Hi Felix,

I can confirm that your “quick fix” is working:

RUNNING 50wordpress.inst
2018-05-29 17:07:19.550439393+02:00 (in joinscript_init)
Object exists: cn=services,cn=univention,dc=cxxxx,dc=intranet
Object created: cn=Wordpress,cn=services,cn=univention,dc=cxxxx,dc=intranet
Object modified: cn=Cxxxx,cn=dc,cn=computers,dc=cxxxx,dc=intranet
Object exists: (group) : wordpress-editors
Object exists: (group) : wordpress-authors
Object exists: (group) : wordpress-contributors
Object exists: (group) : wordpress-subscribers
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
2018-05-29 17:07:40.003158241+02:00 (in joinscript_save_current_version)
**EXITCODE=0**

Well done Thank you Felix.

Best regards
Thomas