SAML certificate verification failed

saml

#1

Hello,

on the DC Master I get this error

SAML certificate verification failed
The certificate of the SAML service provider does not match.

Screenshot%20from%202018-09-14%2016-34-52

I had this on all five servers incl. backup DC but after rejoining the domain it disappeared on all exempt on the Master DC.

how to solve this?

thanks


#2

Hello Urs,

did you renew the certificates recently?

The routine throwing this exception has some hints what it does and what to check including some topics on help.univention.com which are related to the renewal.
From/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py:

def test_service_provider_certificate():
        # compare /etc/univention/ssl/$(hostname -f)/cert.pem with
        # univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata  | ldapsearch-wrapper | ldapsearch-decode64
        # If it fails: /usr/share/univention-management-console/saml/update_metadata
        #
        # fails because https://help.univention.com/t/renewing-the-ssl-certificates/37 was not used. https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/36
        lo = univention.uldap.getMachineConnection()
        certs = lo.search(filter_format('(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://%s/univention/saml/metadata))', ['%s.%s' % (ucr.get('hostname'), ucr.get('domainname'))]), attr=['serviceProviderMetadata'])
        with open('/etc/univention/ssl/%s.%s/cert.pem' % (ucr.get('hostname'), ucr.get('domainname'))) as fd:
                for cert in certs:
                        cert = find_node(fromstring(cert[1]['serviceProviderMetadata'][0]), '{http://www.w3.org/2000/09/xmldsig#}X509Certificate')
                        if cert.text.strip() not in fd.read():
                                raise Critical(_('The certificate of the SAML service provider does not match.'))

Best Regards,
Dirk Ahrnke


#3

Hello Dirk,

yes, I did install letsencrypt on the DC Master, later I removed it again because I realised that this is not needed. After I had many errors that I could fix. but this one SAML error not.

Below the result of the script:

root@ucs-4:/home/Administrator#  /usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py 
error, connecting
error, connecting
Traceback (most recent call last):
  File "/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 119, in <module>
    run(0)
  File "/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 77, in run
    test_service_provider_certificate()
  File "/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 114, in test_service_provider_certificate
    raise Critical(_('The certificate of the SAML service provider does not match.'))
univention.management.console.modules.diagnostic.Critical: The certificate of the SAML service provider does not match.
root@ucs-4:/home/Administrator# 

I tried to do the steps described in Renewing the SSL certificates
no chance.
But after following the instructions on Renewing the complete SSL certificate chain
everything got worse…
See Screenshot:
Screenshot%20from%202018-09-19%2013-25-29

but I don’t understand what I have to do next?
Maybe start all over by installing a new domain???


#4

Hello,

I dont believe that Lets Encrypt is related to this issue anyhow.
Unfortunately the screenshot you tried to upload got lost, so I dont know about the current error.

In general the critical related point is the “SAML SSO” section in Renewing the SSL certificates. In addition I want to point to the hint in the test_service_provider_certificate function quoted above (run the script /usr/share/univention-management-console/saml/update_metadata).

Best Regards,
Dirk Ahrnke


#5

That was due to wrong Markdown formatting. I’ve fixed the formatting; the screenshot is visible now.


#6

Now that the screenshot is visible I can only ask if also the steps from “Renewing the SSL certificates” have been followed after “Renewing the complete SSL certificate chain” according to the last hint?
The screenshot looks like that there might also a required service restart to pick-up the new certificates be missing.


#7

after runnung this scipt, the error messages reduced to the following 3 only:
Screenshot%20from%202018-09-19%2014-31-17

the instructions on Renewing the SSL certificates I followed several times but the main error does not disappear.


#8

The second issue shows 2 things: permissions that should get fixed easily with

chmod 755 /etc/univention/ssl
chmod 750 /etc/univention/ssl/ucs-4.veera.intranet

The remaining part, the missing ucs-sso… directory could be related to the first and critical issue as the files from this directory are copied to /etc/simplesamlphp when following the instructions to renew the certificates.
I’d check carefully what happens during the step “ucs-sso requires a separate handling” from Renewing the complete SSL certificate chain. This includes the review of the join.log and the proof that the directory and its files will exist afterwards. (note: I havent verified that this is the step where it happens but following the docs it looks like that).

The S4 reject seems to be unrelated but needs separate handling.

Best Regards,
Dirk


#9

this is what it looks like:

root@ucs-4:/home/Administrator# ucr get saml/idp/certificate/certificate
/etc/simplesamlphp/ucs-sso.veera.intranet-idp-certificate.crt
root@ucs-4:/home/Administrator#  univention-run-join-scripts --force --run-scripts 91univention-saml.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2018 Univention GmbH, Germany

Running 91univention-saml.inst                             done
root@ucs-4:/home/Administrator# 

and after this I get the following new error:

File '/etc/univention/ssl/ucs-sso.veera.intranet' does not exist.

#10

I wouldnt necessarily trust that “done” always means “succesfully executed”, hence checking /var/log/univention/join.log is a good idea.
In additon some remarks regarding the creation of the certificate during 91univention-saml.inst.
There will be a new certifcate created only when:

  • the file referenced by UCRV saml/idp/certificate/certificate does not exist
  • on a DC master the UCRV ucs/server/sso/certificate/generation is set to true or unset

The certificate should then be created to the hostname taken from UCRV ucs/server/sso/fqdn.

hth,
Dirk


#11

see the next posts, this is outdated


#12

I did:
rm /etc/simplesamlphp/ucs-sso.veera.intranet-idp-certificate.crt

and run the

univention-run-join-scripts --force --run-scripts 91univention-saml.inst

the SSL error is gone now. Thanks!

but the SAML remains:

Screenshot%20from%202018-09-19%2016-02-07


#13

in the log file I see now warnings regarding SAML.

Screenshot%20from%202018-09-19%2016-06-52


#14

The Warning “cannot append … value exists” appears when the cli-tool udm is called to create or modify an entry which already exists (sic) and can or should not be altered. Here it might be that the new certificate is not added into LDAP.

Please have a look at the first lines in the function test_service_provider_certificate() from the check routine and compare the certificates manually.

In case these certificates really differ you might consider removing the saml/serviceprovider entry from LDAP (using UMC) and run the joinscript again.

hth,
Dirk Ahrnke


#15

somehow with your help, doe not fully understanding what I am doing, I did the following and the SAML error magically disappeared. :slight_smile:

I compared the certificate in /etc/univention/ssl/MyServerFQDN/cert.pem
with the certificate that appeared by executing:

        # univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata  | ldapsearch-wrapper | ldapsearch-decode64

the certificates where different. Then I did:

# /usr/share/univention-management-console/saml/update_metadata

and the magic worked!

I still have some S4 connector error on the DC master and some SSL certificate error on the DC backup.
But I will address this later, because it seams not to affect anything urgent.
All the other servers after doing a domain re-join are without errors.

thank you very much!

best regards


#16

@Urs,
Can you help? trying solve other issues with sso i’m now in that situation :confused:

Already redo the chain renew but without sucess