Lost CAcert.pem

Is there anything I can do if I lost my CAcert.pem? A way to generate all new certificates? I have tried using testdisk to recover, but it looks like the data has been overwritten. I’m running a DC backup as well. Does it have a copy of the certificate somewhere?

Edit: I had exported the certificate so I could import it into my Firefox, but didn’t keep the exported file, and then I accidentally deleted the original as well. I have exported the certificate from Firefox and copied it back to the DC, which now starts its services, but I cannot access the web interface of the DC or the backup DC. I get “An error occurred while connecting to the server, please try again later.”

Edit: There’s still more wrong. DNS isn’t working.

Hey,

a DC Backup contains a copy of all certificates, in fact, the whole directory tree /etc/univention/ssl should exist on your DC Backup.

That being said, it is possible that the DC Backup will sync the deletion of the file as well.

If you don’t have a copy on your DC Backup anymore, you could look into the procedure to renew the whole certificate chain including the CA certificate. This is is described in the following post:

This will also regenerate the server certificates which will likely fix your issues with all the services not working (as all of them rely on encrypted connections to the LDAP server in the end).

Last but not least you should really look into setting up daily backups of your servers. I cannot stress how important having complete, recoverable, fresh backup is.

m.

1 Like

@Moritz_Bunkus, you are a LIFE SAVER. I am up and running again. Thank you thank you thank you!

I will definitely start doing backups. I hadn’t considered that deletions would be replicated and thought the DC backup was all I needed. Is there a recommended procedure?

Thank you again!

I still have a minor issue. I was going through the SAML SSO section of Renewing the SSL certificates and found that I don’t have an /etc/univention/ssl/ucs-sso.[mydomain] directory. Apache is failing to start on the backup DC because it can’t find cert.pem in that directory.

Did I miss a step somewhere?

If your SAML SSO certificate is completely missing, you should be able to recreate it by executing the following commands on your DC Master (based on the SAML setup code in /usr/lib/univention-install/91univention-saml.inst):

eval "$(ucr shell)"

univention-certificate new -name "${ucs_server_sso_fqdn}" -days "${ssl_default_days:-1825}"
cp "/etc/univention/ssl/${ucs_server_sso_fqdn}/cert.pem" "${saml_idp_certificate_certificate}"
cp "/etc/univention/ssl/${ucs_server_sso_fqdn}/private.key" "${saml_idp_certificate_privatekey}"
chown root:samlcgi "${saml_idp_certificate_certificate}" "${saml_idp_certificate_privatekey}"
chmod 644 "${saml_idp_certificate_certificate}"
chmod 640 "${saml_idp_certificate_privatekey}"

Be sure to run this after having recreated yor CA certificate, of course; the CA certificate must exist and be valid at this point.

After that step continue with the SAML SSO section, meaning the distribution of said certificate to the other machines in the domain that offer SAML.

2 Likes

I’m getting a bit further each time and I really appreciate your help.

When I do this step on the master:

ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || echo 'Failed!'

I’m getting this:

curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-sso.[my domain]'
[ ok ] Reloading univention-management-console-web-server configuration (via systemctl): univention-management-console-web-server.service.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Could not download IDP metadata for https://ucs-sso.[my domain]/simplesamlphp/saml2/idp/metadata.php
Failed!

If I browse to https://ucs-sso.[my domain] and view the certificate, it does show ucs-sso.[my domain] as the Common Name (CN). I’m quite out of my depth here, though, so I’m not sure if I’m looking for the problem in the right place.

Thanks so much for your help.

@Moritz_Bunkus, I hope you haven’t given up on me! :slightly_smiling_face:

I have found the curl error mentioned here and checked that ucs/server/sso/fqdn is correct and the certificate referred to by /etc/apache2/sites-enabled/univention-saml exists.

Since the web interface is working now, I tried “Create a new root certificate”. It was successful, but I ended up with the same error at the same step in the SAML SSO instructions. I am seeing different results in my browser now:

When I go to https://ucs-sso.[my domain], I get redirected to https://[hostname].[my domain]/univention/portal/ and the certificate common name is [hostname].[my domain] and no alternate names are shown.

When I go to https://ucs-sso (with no domain), there is no redirect, and the certificate common name is still [hostname].[my domain] with no alternate names.

/etc/univention/ssl/ucs-sso.[my domain]/cert.pem does specify:

CN=ucs-sso.[my domain]/emailAddress=ssl@[my domain]

so it appears to have been generated correctly, but the web server is serving the wrong certificate for the hostname. I have never edited anything in the apache2 confs, so I don’t know how this is happening.

Thanks for your help.

Hey,

note that nowadays the common name field isn’t actually relevant anymore — there must be a “subject alternative name” (SAN) entry for all (!) host names the certificate is supposed to be valid for.

For quite a long time certificates created by UCS did not actually have SAN entries. If you started out with such a certificate and only ever renewed it, the SAN would never have been added.

So let’s take a closer look at the certificates in question. Please post the output of the following commands:

openssl s_client -connect ucs-sso.$(ucr get domainname):443 < /dev/null | openssl x509 -in - -noout -text | grep -iEA 2 subject
openssl x509 -in /etc/univention/ssl/ucs-sso.$(ucr get domainname)/cert.pem -noout -text | grep -iEA 2 subject
1 Like

I just realized I was looking at the Apache univention-saml.conf on the backup, not the master. The conf on the master has no SSLCertificateFile, SSLCertificateKeyFile, or SSLCACertificateFile directives at all. I guess that must be the problem.

Just in case it’s still relevant, here is the output of those commands.

On the master DC:

# openssl s_client -connect ucs-sso.$(ucr get domainname):443 < /dev/null | openssl x509 -in - -noout -text | grep -iEA 2 subjectdepth=1 C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=kggd5SxB), emailAddress = ssl@[my domain]
verify return:1
depth=0 C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = [master hostname].[my domain], emailAddress = ssl@[my domain]
verify return:1
        Subject: C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = [master hostname].[my domain], emailAddress = ssl@[my domain]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--
            X509v3 Subject Key Identifier:
DONE
                64:9A:E5:1A:CB:E7:D6:BC:02:C4:02:97:5C:D9:59:17:3E:79:51:DD
            X509v3 Authority Key Identifier:
--
            X509v3 Subject Alternative Name:
                DNS:[master hostname].[my domain], DNS:[master hostname]
    Signature Algorithm: sha256WithRSAEncryption

# openssl x509 -in /etc/univention/ssl/ucs-sso.$(ucr get domainname)/cert.pem -noout -text | grep -iEA 2 subject
        Subject: C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = ucs-sso.[my domain], emailAddress = ssl@[my domain]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--
            X509v3 Subject Key Identifier:
                B9:BB:49:17:19:EE:D3:85:3B:4A:70:C0:BB:B2:1A:5D:FF:8B:8B:E3
            X509v3 Authority Key Identifier:
--
            X509v3 Subject Alternative Name:
                DNS:ucs-sso.[my domain], DNS:ucs-sso
    Signature Algorithm: sha256WithRSAEncryption

On the backup DC:

# openssl s_client -connect ucs-sso.$(ucr get domainname):443 < /dev/null | openssl x509 -in - -noout -text | grep -iEA 2 subject
depth=1 C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=kggd5SxB), emailAddress = ssl@[my domain]
verify error:num=19:self signed certificate in certificate chain
DONE
        Subject: C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = [backup hostname].[my domain], emailAddress = ssl@[my domain]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--
            X509v3 Subject Key Identifier:
                CA:16:C8:D1:DF:AD:35:8C:4C:53:5D:05:6F:69:7F:2E:25:B8:FC:B3
            X509v3 Authority Key Identifier:
--
            X509v3 Subject Alternative Name:
                DNS:[backup hostname].[my domain], DNS:[backup hostname]
    Signature Algorithm: sha256WithRSAEncryption

# openssl x509 -in /etc/univention/ssl/ucs-sso.$(ucr get domainname)/cert.pem -noout -text | grep -iEA 2 subject
        Subject: C = CA, ST = Alberta, L = [my city], O = [my surname] Home, OU = Univention Corporate Server, CN = ucs-sso.[my domain], emailAddress = ssl@[my domain]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--
            X509v3 Subject Key Identifier:
                B9:BB:49:17:19:EE:D3:85:3B:4A:70:C0:BB:B2:1A:5D:FF:8B:8B:E3
            X509v3 Authority Key Identifier:
--
            X509v3 Subject Alternative Name:
                DNS:ucs-sso.[my domain], DNS:ucs-sso
    Signature Algorithm: sha256WithRSAEncryption

I really appreciate all the effort you’re putting into this. I’d be lost without you.

Hey,

That both your DC Master and your DC Backup use certificates with their regular host names as SANs during the connection implies that neither of them currently uses a valid virtual host configuration for the ucs-sso.… host name. So let’s dig deeper.

Please post the output from the following commands from both your DC Master & your DC Backup:

ucr search --brief '^saml' | grep -Fv '<empty>'
ls /etc/apache2/sites-enabled/univention-saml.conf

Thanks.

1 Like

Just wanted to make sure you caught that /etc/apache2/sites-available/univention-saml.conf on the master has no directives pointing to the certificate files. I’m wondering if I need to run the 08univention-apache join script, but I seem to be really good at screwing things up, so don’t want to do that without your advice.

Master:

# ucr search --brief '^saml' | grep -Fv '<empty>'
saml/idp/authsource: univention-ldap
saml/idp/certificate/certificate: /etc/simplesamlphp/ucs-sso.[my domain]-idp-certificate.crt
saml/idp/certificate/privatekey: /etc/simplesamlphp/ucs-sso.[my domain]-idp-certificate.key
saml/idp/enableSAML20-IdP: true
saml/idp/entityID: https://ucs-sso.[my domain]/simplesamlphp/saml2/idp/metadata.php
saml/idp/https: true
saml/idp/ldap/get_attributes: 'uid', 'mailPrimaryAddress', 'enabledServiceProviderIdentifier'
saml/idp/ldap/search_attributes: 'uid', 'mailPrimaryAddress'
saml/idp/lookandfeel/theme: univentiontheme:univention
saml/idp/negotiate: true
saml/idp/show-errors: true

# ls /etc/apache2/sites-enabled/univention-saml.conf
/etc/apache2/sites-enabled/univention-saml.conf

Backup:

# ucr search --brief '^saml' | grep -Fv '<empty>'
saml/idp/authsource: univention-ldap
saml/idp/certificate/certificate: /etc/simplesamlphp/ucs-sso.[my domain]-idp-certificate.crt
saml/idp/certificate/privatekey: /etc/simplesamlphp/ucs-sso.[my domain]-idp-certificate.key
saml/idp/enableSAML20-IdP: true
saml/idp/entityID: https://ucs-sso.[my domain]/simplesamlphp/saml2/idp/metadata.php
saml/idp/https: true
saml/idp/ldap/get_attributes: 'uid', 'mailPrimaryAddress', 'enabledServiceProviderIdentifier'
saml/idp/ldap/search_attributes: 'uid', 'mailPrimaryAddress'
saml/idp/lookandfeel/theme: univentiontheme:univention
saml/idp/negotiate: true
saml/idp/show-errors: true

# ls /etc/apache2/sites-enabled/univention-saml.conf
/etc/apache2/sites-enabled/univention-saml.conf

I did read your statement above.

What you’ve just posted looks just fine. There are some more things to post & try, please (again on both servers):

univention-check-templates
ucr search --brief /sso/
ucr commit /etc/apache2/sites-available/univention-saml.conf
grep -i sslcertificate /etc/apache2/sites-available/univention-saml.conf
1 Like

Ah, good. Here we go:

Master:

# univention-check-templates

# ucr search --brief /sso/
ucs/server/sso/autoregistraton: <empty>
ucs/server/sso/certificate/download: <empty>
ucs/server/sso/certificate/generation: <empty>
ucs/server/sso/fqdn: ucs-sso.[my domain]
ucs/server/sso/virtualhost: true
umc/web/sso/enabled: true
umc/web/sso/newwindow: true

# ucr commit /etc/apache2/sites-available/univention-saml.conf
File: /etc/apache2/sites-available/univention-saml.conf

# grep -i sslcertificate /etc/apache2/sites-available/univention-saml.conf
        SSLCertificateFile /etc/univention/ssl/ucs-sso.[my domain]/cert.pem
        SSLCertificateKeyFile /etc/univention/ssl/ucs-sso.[my domain]/private.key

Backup:

# univention-check-templates
# ucr search --brief /sso/
ucs/server/sso/autoregistraton: <empty>
ucs/server/sso/certificate/download: <empty>
ucs/server/sso/certificate/generation: <empty>
ucs/server/sso/fqdn: ucs-sso.[my domain]
ucs/server/sso/virtualhost: true
umc/web/sso/enabled: true
umc/web/sso/newwindow: true

# ucr commit /etc/apache2/sites-available/univention-saml.conf
File: /etc/apache2/sites-available/univention-saml.conf

# grep -i sslcertificate /etc/apache2/sites-available/univention-saml.conf
        SSLCertificateFile /etc/univention/ssl/ucs-sso.[my domain]/cert.pem
        SSLCertificateKeyFile /etc/univention/ssl/ucs-sso.[my domain]/private.key

Thanks.

Getting the right certificate now and was able to complete all the SAML SSO steps on both machines. Thank you so much! I don’t know what went wrong there, but everything is perfect now.

Hey,

seems that regenerating the files via ucr commit … might have fixed them. So let’s tell Apache to reload its config & see if that helps:

systemctl reload apache2
openssl s_client -connect $(ucr get fqdn):443 -servername ucs-sso.$(ucr get domainname) < /dev/null | openssl x509 -in - -noout -text | grep -iA 2 subject

m.

Ah, I didn’t see your latest reply before sending mine. Great!

Hi, @Moritz_Bunkus I’ve same error, but on Slave this ucr search --brief ‘^saml’ | grep -Fv ‘’ is empy

Could you help me?

@andreaussi Please don’t hijack old threads, especially ones where the problem’s been solved already. Open a new thread, describe your problem, which likely has a different underlying issue as the one in this thread.

Ok, @Moritz_Bunkus thanks

Mastodon