SAML certificate verification failed after Package update 9/26

mediadev · September 26, 2019, 7:27pm

System Diagnostic Tool -
Problem:SAML certificate verification failed

UCS Version

4.4-1 errata290 (Blumenthal)

UMC Version

11.0.4-36A~4.4.0.201909050927

Date of expiry of the SSL root certificate

August 25, 2023 at

Date of expiry of the SSL certificate for this system

August 25, 2023 at
This occurred after a

Error:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 280, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 76, in run
    test_identity_provider_certificate()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 89, in test_identity_provider_certificate
    for host in socket.gethostbyname_ex(sso_fqdn)[2]:
gaierror: [Errno -2] Name or service not known

I looked at the conf. file in etc/apache2/univention-saml.conf and noticed it lists the ucs domain name and not the FQDN which I have been using … should this be changed to the FQDN?

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/apache2/sites-available/univention-saml.conf
# 

Alias /simplesamlphp/saml2/idp/certificate /etc/simplesamlphp/ucs-sso.belldesign.com-idp-certificate.crt
<Directory "/etc/simplesamlphp">
        <Files "ucs-sso.belldesign.com-idp-certificate.crt">
                Require all granted
        </Files>
</Directory>


Alias /simplesamlphp /usr/share/simplesamlphp/www

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?simplesamlphp/(.*) https://%{SERVER_NAME}/simplesamlphp/$1 [R,L]



<Directory /usr/share/simplesamlphp/www/>
	<FilesMatch ".+\.ph(p[345]?|t|tml)$">
		SetHandler php-cgi
	</FilesMatch>
	Action php-cgi /saml-bin/php-cgi

	Order allow,deny
	Allow from all
</Directory>
<Directory /var/www/saml/>
	Options -Indexes
</Directory>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	IncludeOptional /etc/apache2/sso-vhost.conf.d/*.conf
	SSLEngine on
	SSLProxyEngine on
	ServerName ucs-sso.belldesign.com
	SSLCertificateFile /etc/univention/ssl/ucs-sso.belldesign.com/cert.pem
	SSLCertificateKeyFile /etc/univention/ssl/ucs-sso.belldesign.com/private.key
	SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
	
	DocumentRoot /var/www/
	RedirectMatch ^/$ /simplesamlphp/

	ScriptAlias /saml-bin /var/www/saml
	SuexecUserGroup samlcgi samlcgi

	RewriteEngine on
	RewriteCond %{HTTP:Authorization}  !^$
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

	Include /etc/apache2/sites-available/univention-proxy.conf
</VirtualHost>
<VirtualHost *:80>
	IncludeOptional /etc/apache2/sso-vhost.conf.d/*.conf
	ServerName ucs-sso.belldesign.com
	DocumentRoot /var/www/
	RedirectMatch ^/$ /simplesamlphp/

	ScriptAlias /saml-bin /var/www/saml
	SuexecUserGroup samlcgi samlcgi

	RewriteEngine on
	RewriteCond %{HTTP:Authorization}  !^$
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

	Include /etc/apache2/sites-available/univention-proxy.conf
</VirtualHost>
</IfModule>

mediadev · September 27, 2019, 6:15pm

I noticed there is nothing in the UCR for the SAML/apache2/ entries - should this have the path to the Lets Encrypt SSL certificate that has been active since the server was built, or should it point to the ucs-sso certificate that comes with UCS?

mediadev · September 27, 2019, 6:19pm

At this point I am thoroughly confused as to why the SAML certificate has stopped working, as logins are still possible in the server apps from the credentials supplied through the Microsoft AD domain this UCS system is attache3d to. There are only this one Univention server attached to a MS Server 2008 Active Directory used for our windows network. This is an app server to support that with owncloud, wordpress, wekan installed and running great. After I updated the packages, Open Project stopped working and I had to uninstall after an upgrade for it failed. Everything was working fine before the package update a few days ago.

mediadev · September 27, 2019, 6:27pm

So this is the original internal name of the domain, but not the FQDN that is being used…should this entry be the FQDN that is used to access the server from the open internet, as opposed to the original internal domain name?