UCS Openssl request signing error

ssl
certificates

#1

UCS: 4.2-2 errata 198

I created a signing request from another machine and used UCS to sign the request. BUT the following error is produced:

using configuration from /etc/univention/ssl/openssl.cnf
error on line 31 of config file '/etc/univention/ssl/openssl.cnf'
139969125799568:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 31

Please help.


#2

Hey,

you cannot simply use an existing openssl.cnf from Univention as they use several environment variables that must be set. You can set them like this:

DEFAULT_CRL_DAYS="$(/usr/sbin/univention-config-registry get ssl/crl/validity)"
: ${DEFAULT_CRL_DAYS:=10}
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
: ${DEFAULT_DAYS:=1825}
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
: ${DEFAULT_MD:=sha256}
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
: ${DEFAULT_BITS:=2048}

export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS

Then sign the certificate.

Kind regards,
mosu


LDAP Certificate and Hostname mismatch
#3

I followed this link:
https://docs.software-univention.de/domain-4.0.html#extdom:ssl:sign
The instructions fall under this title:

3.2. Signing of certificate signing requests by the UCS certificate authority

Your instructions are not found there. Will try them in any case.


#4

The documentation is clearly incomplete and out of sync with how OpenSSL is configured.


#5

I’ve filed a bug for this.