UMC Server broke up, login failed

umc
ssl

#1

I cannot log in into Univention Management Console Server
The last actions were: UCS Update and manual time configuration.

when I want to log in, i get the following message:
The connection to the Univention Management Console Server broke up unexpectedly.
If you have root permissions on the system you can restart UMC by executing the following commands:

  • service univention-management-console-server restart
  • service univention-management-console-web-server restart
    Otherwise please contact an administrator or try again later.

I have allready tried the suggested hints.
What can i do?


#2

Can you logon via ssh with “root”?
If yes, you might want to revert your changes regarding the time settings.

Depending on how and where you did those changes, I can imagine that services like LDAP aren’t too happy about changes to time and date without properly informing them…


#3

Yes I can login via ssh as root.

I made the following changes before the login failed (via ssh):

sudo tzselect cest
sudo tzselect CEST
sudo dpkg-reconfigure tzdata
ntpdate ptbtime1.ptb.de
sudo date 070815482017.20

How and what shall i revert?

Thanks for help!!!


#4

Hi,

good question.
Changing the timezone: What timezone was set before that? It might be worth a try to get back to that.
On the other hand: I am afraid the worst has happened already.

Logs with error messages might be helpful.

For instance error messages if you try to restart the services mentioned above.
Without logs or error messages … not much we can do to help.


#5

I see the following message bottom of the login mask:

“Interner Server-Fehler: Der Dienst ist momentan nicht erreichbar!”

univention-management-console-web-server LOG (I set some entries to “…” ! ):

28.07.17 20:27:01.524 MAIN ( INFO ) : CPAuth/auth: got new auth request ( … :57070 <=> )
28.07.17 20:27:01.524 MAIN ( INFO ) : auth: request: command=/auth
28.07.17 20:27:01.525 MAIN ( INFO ) : CPAuth (… :57070) pushed request(0x7fe1dbc11190) to queue(0x7fe1dc661248) - waiting for response
28.07.17 20:27:01.555 MAIN ( INFO ) : UMCP_Dispatcher: check_queue: new request: 0x7fe1dbc11190
28.07.17 20:27:01.555 MAIN ( INFO ) : SessionClient(0x7fe1dbc112d0): creating new session
28.07.17 20:27:01.556 MAIN ( INFO ) : Client.connect: SSL connection established
28.07.17 20:27:01.557 MAIN ( INFO ) : SessionClient(0x7fe1dbc112d0): connected to UMC server
28.07.17 20:27:01.557 MAIN ( INFO ) : SessionClient(0x7fe1dbc112d0): authenticate_user: sending authentication request for user u’Administrator’
28.07.17 20:27:01.557 PROTOCOL ( INFO ) : Sending UMCP AUTH REQUEST 150126642152482-5
28.07.17 20:27:01.574 MAIN ( INFO ) : __verify_cert_cb: Got certificate subject: < … '>
28.07.17 20:27:01.574 MAIN ( INFO ) : __verify_cert_cb: Got certificate issuer: < … >
28.07.17 20:27:01.574 MAIN ( INFO ) : __verify_cert_cb: errnum=9 depth=1 ok=0
28.07.17 20:27:01.574 MAIN ( PROCESS ) : Client: Sending via SSL connection failed: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]
28.07.17 20:27:01.574 MAIN ( PROCESS ) : Client: Communication will not be encrypted!
28.07.17 20:27:01.574 MAIN ( INFO ) : Client.connect: connection established
28.07.17 20:27:01.588 MAIN ( WARN ) : Client: _recv: error on socket: [Errno 104] Connection reset by peer
28.07.17 20:27:01.588 MAIN ( INFO ) : CPAuth ( … :57070) got response(0x7fe1dbc11550) from queue(0x7fe1dc661248): status=503
28.07.17 20:27:01.588 MAIN ( PROCESS ) : CPAuth ( … :57070) response status code: 503
28.07.17 20:27:01.588 MAIN ( PROCESS ) : CPAuth … :57070) response message: The connection to the Univention Management Console Server broke up unexpectedly.
If you have root permissions on the system you can restart UMC by executing the following commands:

  • service univention-management-console-server restart
  • service univention-management-console-web-server restart
    Otherwise please contact an administrator or try again later.
    28.07.17 20:27:01.588 MAIN ( PROCESS ) : CPAuth ( … :57070) response result: None
    28.07.17 20:27:01.588 MAIN ( INFO ) : Open sessions: a48b2bf9-34a3-4ffa-8843-3885f7a8baf2
    28.07.17 20:27:01.588 MAIN ( INFO ) : Cleaning up session ‘a48b2bf9-34a3-4ffa-8843-3885f7a8baf2’

#6

Are any certificates present under /etc/univention/ssl/%fqdn%/ ?
You might want to check those with OpenSSL if they are all valid still.


#7

There is a certificate named: cert.pem

under Validity I can read :
Not Before: Sep 13 21:02:55 2017 GMT

Is that maybe the problem (Before I changed the time, the time was September 2017)?
If yes, how can I change the Date in the certificate?
or create a new?
I’am not so good in working with certificates.


#8

That certainly is a problem: LDAP & co rely heavily on valid certificates.
Your certificate has a validity in the future, hence it might start working somewhere in September, when the certificate becomes valid.

You cannot change the date of the certificate, after all, that would mean you could actually change it. That’s not what certificates are for.

If I remember correctly, this is your only UCS server?
You might follow this article:
http://sdb.univention.de/1183

However: be prepared to actually wreck the system.
The link above might work on a healthy system, I can’t guarantee that there isn’t anything else wrong with yours.
In the end you might end up with nothing.


#9

@Jeroen is right. The certificate’s validity is vital for pretty much each and every component of a UCS server. Having the server set to the correct date & time is as important.

You have two options:

  1. Re-install (making sure your system’s clock is set correctly in BIOS/UEFI)
  2. Re-create all certificates

If you don’t want to re-install: @Jeroen has already linked the corresponding support database article. It isn’t that hard if you follow the steps properly. But make sure to have a full backup of the machine first.


#10

How I solved the problem:

  1. I changed the date to the actual date (the hardware clock too)
  2. I logged in via http in UMC
  3. I made a small change under System --> Certificate Settings, so that all certificates were rebuild
  4. Restarted the server

Now the most things run.

Anyway I have the following problem:

In the AppCenter I get the following message:
Es gibt ein Problem mit dem Zertifikat des App Center Servers
https://appcenter.software-univention.de. ([SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:581))

what is wrong?
(for information: I have running a proxy (squid and dansgardian)


#11

Hey,

First of all, which UCS version are you using? I haven’t found that piece of information above.

Now, can you please post the output of the following command:

curl --noproxy appcenter.software-univention.de -v https://appcenter.software-univention.de/ > /dev/null
curl --proxy $(ucr get proxy/http) -v https://appcenter.software-univention.de/ > /dev/null

I assume that your proxy is set via that UCR variable. If not, replace $(ucr get proxy/http) with the address of your http://actual.proxy.and.port:12345/

As a last test, please save the following short Python snippet to a file such as fetch-test.py, run it with python2 fetch-test.py and post its output (it shouldn’t oputput anything):

#!/usr/bin/python2.7

import urllib2

response = urllib2.urlopen("https://appcenter.software-univention.de/")
response.read()

Kind regards,
mosu


#12

Hey,

my installed version is 4.2-1 errata122

Output of:
curl --noproxy appcenter.software-univention.de -v https://appcenter.software-univention.de/ > /dev/null

  • Hostname was NOT found in DNS cache
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0* Trying 176.9.114.147…
  • Connected to appcenter.software-univention.de (176.9.114.147) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS Unknown, Unknown (22):
    } [data not shown]
  • SSLv3, TLS handshake, Client hello (1):
    } [data not shown]
  • error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
  • Closing connection 0
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

curl --proxy $(ucr get proxy/http) -v https://appcenter.software-univention.de/ > /dev/null

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0curl: (5) Could not resolve proxy: -v
root@ucs1:~# curl --proxy … -v https://appcenter.software-univention.de/ > /dev/null

  • Hostname was NOT found in DNS cache
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0* Trying …
  • Connected to … port … (#0)
  • Establish HTTP proxy tunnel to appcenter.software-univention.de:443

CONNECT appcenter.software-univention.de:443 HTTP/1.1
Host: appcenter.software-univention.de:443
User-Agent: curl/7.38.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0* Proxy replied OK to CONNECT request

  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS Unknown, Unknown (22):
    } [data not shown]
  • SSLv3, TLS handshake, Client hello (1):
    } [data not shown]
  • SSLv2, Unknown (22):
    { [data not shown]
  • SSLv3, TLS handshake, Server hello (2):
    { [data not shown]
  • SSLv2, Unknown (22):
    { [data not shown]
  • SSLv3, TLS handshake, CERT (11):
    { [data not shown]
  • SSLv2, Unknown (22):
    { [data not shown]
  • SSLv3, TLS handshake, Server key exchange (12):
    { [data not shown]
  • SSLv2, Unknown (22):
    { [data not shown]
  • SSLv3, TLS handshake, Server finished (14):
    { [data not shown]
  • SSLv2, Unknown (22):
    } [data not shown]
  • SSLv3, TLS handshake, Client key exchange (16):
    } [data not shown]
  • SSLv2, Unknown (20):
    } [data not shown]
  • SSLv3, TLS change cipher, Client hello (1):
    } [data not shown]
  • SSLv2, Unknown (22):
    } [data not shown]
  • SSLv3, TLS handshake, Finished (20):
    } [data not shown]
  • SSLv2, Unknown (20):
    { [data not shown]
  • SSLv3, TLS change cipher, Client hello (1):
    { [data not shown]
  • SSLv2, Unknown (22):
    { [data not shown]
  • SSLv3, TLS handshake, Finished (20):
    { [data not shown]
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • Server certificate:
  • subject: C=DE; postalCode=28359; ST=Bremen; L=Bremen; street=Mary-Somerville Str. 1; O=Univention GmbH; OU=PremiumSSL Wildcard; CN=*.software-univention.de
  • start date: 2015-08-31 00:00:00 GMT
  • expire date: 2018-11-28 23:59:59 GMT
  • subjectAltName: appcenter.software-univention.de matched
  • issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA
  • SSL certificate verify ok.
  • SSLv2, Unknown (23):
    } [data not shown]

GET / HTTP/1.1
User-Agent: curl/7.38.0
Host: appcenter.software-univention.de
Accept: /

  • SSLv2, Unknown (23):
    { [data not shown]
    < HTTP/1.1 301 Moved Permanently
    < Date: Mon, 07 Aug 2017 17:02:21 GMT
  • Server Apache is not blacklisted
    < Server: Apache
    < Location: http://www.univention.de/
    < Vary: Accept-Encoding
    < Content-Length: 233
    < Content-Type: text/html; charset=iso-8859-1
    <
  • SSLv2, Unknown (23):
    { [data not shown]
    100 233 100 233 0 0 950 0 --:–:-- --:–:-- --:–:-- 951
  • Connection #0 to host … left intact

python output:
Traceback (most recent call last):
File “/home/Administrator/test.py”, line 5, in
response = urllib2.urlopen(“https://appcenter.software-univention.de/”)
File “/usr/lib/python2.7/urllib2.py”, line 154, in urlopen
return opener.open(url, data, timeout)
File “/usr/lib/python2.7/urllib2.py”, line 431, in open
response = self._open(req, data)
File “/usr/lib/python2.7/urllib2.py”, line 449, in _open
‘_open’, req)
File “/usr/lib/python2.7/urllib2.py”, line 409, in _call_chain
result = func(*args)
File “/usr/lib/python2.7/urllib2.py”, line 1240, in https_open
context=self._context)
File “/usr/lib/python2.7/urllib2.py”, line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:581)>

Could it be, that after the recreation of all certificate I need a new certificate from Univention?


#13

Hey,

No. The certificates on your server are only relevant for other clients that connect to your server, but not when your server acts as a client and connects to other servers such as the AppCenter.

So the connection works if it goes through your proxy (http://ucs1…:3128/), but not when your server tries to connect to the AppCenter directly? That is… interesting.

Please post the output of date and hwclock and make sure that the time & date shown are correct for your server’s location. Also post the output of cat /etc/timezone.

There are a handful of other posts in this forum that show similar errors. However, in one of them the proxy itself turned out to be the problem and circumventing the proxy would solve the issue, but that’s exactly the other way around of what you’re experiencing. So I’m still a bit at a loss about potential causes for your issue.


#14

Oh and just to make sure:

  • Have you rebooted your server since fixing your time/date issues mentioned at the top?
  • Have you rebooted your server since re-creating all the certificates?
  • Is the server you’re running this on a different server than the proxy (ucs1.gmo.int), or that the same server?
  • Please run update-ca-certificates and try that Python script again.
  • Please post the output of dpkg -l | grep ssl

#15

Hey,

my timezone was UTC, no I changed in laguage settings to CEST.
date and RTC are with no difference and correct.
I made a reboot after all actions.

proxy and server are the same pc.

the ssl error is still there.
the output of the py-doc is also there.

dpkg -l | grep ssl output:

ii libcrypt-openssl-random-perl 0.04-2+b1 amd64 module to access the OpenSSL pseudo-random number generator
ii libflac8:amd64 1.3.0-3 amd64 Free Lossless Audio Codec - runtime C library
ii libgnutls-openssl27:amd64 3.3.8-6+deb8u4 amd64 GNU TLS library - OpenSSL wrapper
ii libssl1.0.0:amd64 1.0.2k-1~bpo8+1A~4.2.0.201706081143 amd64 Secure Sockets Layer toolkit - shared libraries
ii libxmlsec1-openssl 1.2.20-2+b1 amd64 Openssl engine for the XML security library
ii openssl 1.0.2k-1~bpo8+1A~4.2.0.201706081143 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii openssl-blacklist 0.5-3.19.201403211036 all Blacklists for OpenSSL RSA keys and tools
ii python-openssl 0.14-1 all Python 2 wrapper around the OpenSSL library
ii ssl-cert 1.0.35 all simple debconf wrapper for OpenSSL
ii univention-ssl 11.0.1-1A~4.2.0.201703131532 all UCS - SSL/TLS certificates


#16

Thanks. Unfortunately I’m totally at a loss at why the error message still occurs. Do you have any proxy whatsoever between your server and Univention’s AppCenter server? I don’t mean the one you’ve tried explicitly with curl’s --proxy… option, but e.g. security products such as a firewall appliance that does HTTP/HTTPS content scanning?

As a last resort: how much would it hurt simply to reinstall the server?