Problem
During the join of a server the join is stuck at “Download host certificate…”
Investigation
The server tries to copy it’s certificate files from the master who created these short before. There are issues in downloading these files.
Solution
Note: The following steps has to be done on the master server!
Step 1
Verify servers are allowed to connect through ssh and server entry exists.
Note: If you are joining a backup server use “DC Backup Hosts”!
root@master:~# ucr search --brief auth/sshd
auth/sshd/group/Administrators: yes
auth/sshd/group/Computers: yes
auth/sshd/group/DC Backup Hosts: yes
auth/sshd/group/DC Slave Hosts: yes
auth/sshd/group/Domain Admins: yes
auth/sshd/restrict: yes
auth/sshd/user/root: yes
root@master:~# getent passwd 'ucs-slave$'
ucs-slave$:x:2010:5006:ucs-slave:/dev/null:/bin/sh
root@master:~# getent group "DC Slave Hosts"
DC Slave Hosts:*:5006:join-slave,ucs-slave$,Administrator,backup$,join-backup,master$
Step 2
Check if the source directory on the master exists:
root@master:# test -e /etc/univention/ssl/ucs-slave && echo "Directory exists - OK"
Directory exists - OK
If it doesn’t exist, you can create/renew the certificate with
univention-certificate renew -name ucs-slave.$(ucr get domainname) -days $(ucr get ssl/default/days)
You might need to adjust the permissions and re-create the symlink. For further info take a look here: Renewing all computer certificates
Step 3
Check if the directory has needed files as listed and correct ownership (owner should be the hostname appended with “$”):
root@master:# ls -alh /etc/univention/ssl/ucs-slave
insgesamt 284K
drwxr-x--- 2 ucs-slave$ DC Backup Hosts 4,0K Aug 27 10:54 .
drwxr-xr-x 3543 root DC Backup Hosts 260K Aug 27 10:54 ..
-rw-r----- 1 ucs-slave$ DC Backup Hosts 5,4K Feb 1 2019 cert.pem
-rw-r----- 1 ucs-slave$ DC Backup Hosts 2,8K Feb 1 2019 openssl.cnf
-rw-r----- 1 ucs-slave$ DC Backup Hosts 1,7K Feb 1 2019 private.key
-rw-r----- 1 ucs-slave$ DC Backup Hosts 1,3K Feb 1 2019 req.pem
root@master:# chown -R 'ucs-slave$':'DC Backup Hosts" /etc/univention/ssl/ucs-slave
root@master:# chmod 0640 /etc/univention/ssl/ucs-slave/*
Step 4
Sometimes the server tries to access the directory with a upper case hostname or full qualified hostname (fqdn). To prevent issues with this, create a symbolic link with the uppercase name:
root@master:# cd /etc/univention/ssl/
root@master:# ln -s ucs-slave UCS-SLAVE
root@master:# ln -s ucs-slave ucs-slave.multi.ucs
root@master:# ln -s ucs-slave UCS-SLAVE.MULTI.UCS
root@master:# ln -s ucs-slave UCS-SLAVE.multi.ucs
Step 5
After the above checks retry the join and it should not stop at “Download host certificate…”