Lets Encrypt CAA Rechecking bug

UCS - Univention Corporate Server
#1

You may have seen repots in the media about the recent issue which caused a revoke of certain Lets Encrypt certificates.
More details can be found in the Bug Report and Revoking certain certificates on March 4.
As reported only domains using DNS Certification Authority Authorization are affected.
There is a checking tool available at Check whether a host’s certificate needs replacement.

In case you are affected you can simple get a new certificate by running as root:

/usr/share/univention-letsencrypt/refresh-cert-cron

In UMC it should be sufficient to navigate to the App Settings of the Lets Encrypt App, switch to the “Let’s Encrypts Test-CA”, save settings and switch back to the default CA afterwards.

#2

I’m affected and I tried as root:

/usr/share/univention-letsencrypt/refresh-cert-cron
mer 4 mar 2020, 09.31.53, CET
Refreshing certificate for following domains:
domain.xxx.xxx
Parsing account key…
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 74, in get_crt
out = _cmd([“openssl”, “rsa”, “-in”, account_key, “-noout”, “-text”], err_msg=“OpenSSL Error”)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 28, in _cmd
raise IOError("{0}\n{1}".format(err_msg, err))
IOError: OpenSSL Error
Can’t open /etc/univention/letsencrypt/account.key for reading, Permission denied
139668550312000:error:0200100D:system library:fopen:Permission denied:…/crypto/bio/bss_file.c:74:fopen(’/etc/univention/letsencrypt/account.key’,‘r’)
139668550312000:error:2006D002:BIO routines:BIO_new_file:system lib:…/crypto/bio/bss_file.c:83:
unable to load Private Key

Setting letsencrypt/status
Module: ox-config
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

What can I do?

#3

I changed permissions with:

setfacl -m u:letsencrypt:r-- account.key

and I solved the problem.

Mastodon