Ucs join fails at 92univention-management-console-web-server.inst

Mbo42 · July 28, 2018, 2:18pm

I will substantially rewrite this question in the hope of getting some help.
Also, I have reinstalled many times so some of the original post is no longer relevant.

I have a slave server installed on Amazon ec2 using the 4.3 Amazon univention image.
It is connected to the office domain by VPN.
I installed it without join or update as it was necessary to get the DNS sorted out before join and update could work. Now the univention DC Master is the primary DNS and the Amazon DNS is secondary.

I can run successful run every join script except 92univention-management-console-web-server.inst.
I also can not upgrade as the apt-sources entries are missing.

The error from the log is:

Could not download IDP metadata for https://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
‘NoneType’ object has no attribute ‘find’
Unsetting umc/saml/idp-server
Module: setup_saml_sp
EXITCODE=3

The results of curl seem to be a good clue:

On a GOOD machine I get.

> root@ESS8:/home/talcom# curl http://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php">
>   <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>     <md:KeyDescriptor use="signing">
>       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:X509Data>
>           <ds:X509Certificate>XIIFcD.... etc.

Whereas on the broken server:

root@essn:~# curl http://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /simplesamlphp/saml2/idp/metadata.php was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.enviro.intranet Port 80</address>
</body></html>

Both good and bad servers give the same output for the DNS query ‘dig ucs-sso.enviro.intranet’

The System Diagnostics show a bad SSL certificate error


Found invalid certificate '/tmp/tmp6lktDH':
error /tmp/tmp6lktDH: verification failed

However I can not find the tmp6lktDH file on the system.
The Diagnostics reccomended replaceing all the certificates so I did this:
Renewing the SSL certificates

The server is the current Amazon 4.3 image and the DC master is 4.3-1 errata157

Mbo42 · July 30, 2018, 8:30am

The output of various commands on the problem server.

root@essn:~# dig ucs-sso.enviro.intranet                                             

; <<>> DiG 9.10.3-P4-Univention <<>> ucs-sso.enviro.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2530
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ucs-sso.enviro.intranet.       IN      A

;; ANSWER SECTION:
ucs-sso.enviro.intranet. 900    IN      A       192.168.20.3
ucs-sso.enviro.intranet. 900    IN      A       192.168.20.4
ucs-sso.enviro.intranet. 900    IN      A       192.168.40.3

;; AUTHORITY SECTION:
enviro.intranet.        900     IN      NS      essn.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS2.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS5.enviro.intranet.
enviro.intranet.        900     IN      NS      Deimos.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS8.enviro.intranet.
enviro.intranet.        900     IN      NS      phobos.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS3.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS4.enviro.intranet.

;; ADDITIONAL SECTION:
phobos.enviro.intranet. 900     IN      A       192.168.20.3
Deimos.enviro.intranet. 900     IN      A       192.168.20.4
ESS2.enviro.intranet.   900     IN      A       192.168.30.3
ESS3.enviro.intranet.   900     IN      A       192.168.30.4
ESS4.enviro.intranet.   900     IN      A       192.168.40.3
ESS5.enviro.intranet.   900     IN      A       192.168.40.5
ESS8.enviro.intranet.   900     IN      A       192.168.50.3
essn.enviro.intranet.   900     IN      A       10.1.1.5

;; Query time: 24 msec
;; SERVER: 192.168.20.3#53(192.168.20.3)
;; WHEN: Fri Aug 03 11:40:32 AEST 2018
;; MSG SIZE  rcvd: 384

root@essn:~# cat /etc/resolv.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
#       /etc/univention/templates/files/etc/resolv.conf
# 


domain  enviro.intranet
nameserver  192.168.20.3  #THIS IS THE DC MASTER
nameserver  10.1.1.5
options timeout:2


root@essn:~# univention-ldapsearch relativeDomainName=ucs-sso
# extended LDIF
#
# LDAPv3
# base <dc=enviro,dc=intranet> (default) with scope subtree
# filter: relativeDomainName=ucs-sso
# requesting: ALL
#

# ucs-sso, enviro.intranet, dns, enviro.intranet
dn: relativeDomainName=ucs-sso,zoneName=enviro.intranet,cn=dns,dc=enviro,dc=in
 tranet
aRecord: 192.168.20.3
aRecord: 192.168.20.4
aRecord: 192.168.40.3
objectClass: dNSZone
objectClass: top
objectClass: univentionObject
univentionObjectType: dns/host_record
dNSTTL: 80600
relativeDomainName: ucs-sso
zoneName: enviro.intranet

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1