Upgrade 4.1->4.2 fail if usercert/windowscert extension was installed

cool-solution
ucs-4-2

#1

The upgrade fails if cool solution repo was activated before and univention-usercert or univention-windowscert was installed

Remove that extensions does not remove the entries in ldap. This let the upgrade crash

What is the way to go to remove the failing entries from ldap?

After starting the upgrade

HINT:
Please check the release notes carefully BEFORE updating to UCS 4.2-0:
 English version: https://docs.software-univention.de/release-notes-4.2-0-en.html
 German version:  https://docs.software-univention.de/release-notes-4.2-0-de.html

Please also consider documents of following release updates and
3rd party components.

Do you want to continue [Y/n]? 
Custom preupdate script /var/lib/local-preup.sh not found
Checking for space on /var/cache/apt/archives: OK
Checking for space on /boot: OK
Checking for space on /: OK
Checking for package status: OK
Checking LDAP schema: 58f8d775 OVER: Loading Translog Overlay
58f8d775 OVER: db_init
58f8d775 OVER: Configuring Translog Overlay
58f8d775 OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
58f8d775 UNKNOWN attributeDescription "UNIVENTIONCREATEREVOKECERTIFICATE" inserted.
58f8d775 UNKNOWN attributeDescription "UNIVENTIONCERTIFICATEDAYS" inserted.
58f8d775 OVER: db_close
# (65) Object class violation: unrecognized objectClass 'univentionManageCertificates'
dn: uid=mfrie,cn=users,dc=huf,dc=intranet

# (65) Object class violation: unrecognized objectClass 'univentionManageCertificates'
dn: cn=PC-08,cn=computers,dc=huf,dc=intranet

58f8d776 OVER: db_destroy

Last error before abort

Calling joinscript 18python-univention-directory-manager.inst ...
2017-04-20 18:31:32.648822323+02:00 (in joinscript_init)
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 406, in doit
    out = _doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 534, in _doit
    co = univention.admin.config.config(configRegistry['ldap/master'])
  File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 40, in __init__
    base = univention.admin.uldap.getBaseDN(host)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 136, in getBaseDN
    result = lo.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
    return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
    self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
    raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Joinscript 18python-univention-directory-manager.inst finished with exitcode 3
psmisc (22.21-2) wird eingerichtet ...
slapd (2.4.42+dfsg-2.A~4.2.0.201703081826) wird eingerichtet ...
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
  Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.42+dfsg-2.219.201612021613... done.
  Moving old database directories to /var/backups:
  - directory dc=huf,dc=intranet... done.
  Loading from /var/backups/slapd-2.4.42+dfsg-2.219.201612021613: 
  - directory dc=huf,dc=intranet... failed.

Loading the database from the LDIF dump failed with the following
error while running slapadd:
    58f8e2a6 OVER: Loading Translog Overlay
    58f8e2a7 OVER: db_init
    58f8e2a7 OVER: Configuring Translog Overlay
    58f8e2a7 OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
    58f8e2a7 <= str2entry: str2ad(UNIVENTIONCERTIFICATEDAYS): attribute type undefined
    slapadd: could not parse entry (line=28107)
    58f8e2a7 OVER: db_close
    58f8e2a7 OVER: db_destroy
dpkg: Fehler beim Bearbeiten des Paketes slapd (--configure):
 Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurĂĽck

Cant upgrade to 4.2 : Component 'cool-solutions' is not yet available for newer release versions
#2

I add the cool-solutions repo again and reinstall “univention-ldap-usercert univention-usercert univention-windowscert”

slapschema check:

root@pdc:~# slapschema
58f9c46e OVER: Loading Translog Overlay
58f9c46e OVER: db_init
58f9c46e OVER: Configuring Translog Overlay
58f9c46e OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
58f9c46e OVER: db_close
58f9c46e OVER: db_destroy

Now i clone the primary controller into a virtual enviroment, disable the cool-solutions repo and try to upgrade leaving the cert packages installed


#3

leaving “univention-ldap-usercert univention-usercert univention-windowscert” installed after deactivating thecool-solutions repo is the way to go

Upgrade is done without errors :grinning:


Cant upgrade to 4.2 : Component 'cool-solutions' is not yet available for newer release versions
#4

Good to know :slight_smile:

Thanks for your patience and testing :thumbsup:


#5

Hi npanic,

What do you mean by disable the repo ? (Where do you disable it from web interface or command line ?)
After disable it, we don’t have to remove “univention-ldap-usercert univention-usercert univention-windowscert”

Regards,
Vincent


#6

u can deactivate it from cmd

execute this on all ucs systems

ucr set repository/online/component/cool-solutions=no


#7

leaving packages “univention-ldap-usercert univention-usercert univention-windowscert” installed
afterwards u can upgrade

please do a backup before upgrading


#8

So now I have this error :

Checking network repository
Update to = 4.2-0
**** Downloading scripts at Thu Apr 27 14:13:14 2017
**** Starting actual update at Thu Apr 27 14:13:23 2017
Running preup.sh script
jeudi 27 avril 2017, 14:13:23 (UTC+0200)

HINT:
Please check the release notes carefully BEFORE updating to UCS 4.2-0:
 English version: https://docs.software-univention.de/release-notes-4.2-0-en.html
 German version:  https://docs.software-univention.de/release-notes-4.2-0-de.html

Please also consider documents of following release updates and
3rd party components.

Do you want to continue [Y/n]? 
Custom preupdate script /var/lib/local-preup.sh not found
Checking for space on /var/cache/apt/archives: OK
Checking for space on /boot: OK
Checking for space on /: OK
Checking for package status: OK
Checking LDAP schema: 5901e066 OVER: Loading Translog Overlay
5901e066 OVER: db_init
5901e066 OVER: Configuring Translog Overlay
5901e066 OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
5901e066 OVER: db_close
5901e066 OVER: db_destroy
OK
/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
WARNING: There are modified Apache configuration files in /etc/univention/templates/files/etc/apache2/sites-available/.
Please restore the original configuration files before upgrading and apply the manual changes again after the upgrade succeeded.
This check can be skipped by setting the UCR
variable update42/ignore_apache_template_checks to yes.
Error: Update aborted by pre-update script of release 4.2-0
exitcode of univention-updater: 1
ERROR: update failed. Please check /var/log/univention/updater.log 

Can we put the script in debug mode to know which file is modify ?

Regards


#9

Well, the script tells you already:

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts

You can verify this by running:

univention-check-templates

Best regards,
Michael Grandjean


#10
root@dmlabucsmail001:/etc/univention/templates/files/etc/apache2/sites-available/ssl.d# univention-check-templates                                       WARNING: The following UCR files are modified locally.
Updated versions will be named FILENAME.dpkg-*.
The files should be checked for differences.

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts

OK thanks

How can I reinstall the original one ?

Vincent


#11

Any advice ?

vincent


#12

You should see a “10hosts.dpkg-dist“ additional to the currently used “10hosts“. So the easiest way would be to stop apache, rename “10hosts“ to “10hosts.BAK“, rename “10hosts.dpkg-dist“ to “10host“ and restart apache.


#14

I’m sorry but there is not file name like that in the directory :

root@dmlabucsmail001:/etc/univention/templates/files/etc/apache2/sites-available/ssl.d# cd /etc/univention/templates/files/etc/apache2/sites-available/ssl.d
root@dmlabucsmail001:/etc/univention/templates/files/etc/apache2/sites-available/ssl.d# ls -la
total 24
drwxr-xr-x 2 root root 4096 avril 27 15:15 .
drwxr-xr-x 4 root root 4096 avril 27 14:13 ..
-rw-r--r-- 1 root root 1311 oct.   6  2015 00start
-rw-r--r-- 1 root root  801 déc.  12 16:24 10hsts
-rw-r--r-- 1 root root  769 nov.  15 17:19 10univention-appcenter
-rw-r--r-- 1 root root   28 août  14  2015 99end
root@dmlabucsmail001:/etc/univention/templates/files/etc/apache2/sites-available/ssl.d# more 10hsts 
@!@
import re
RE_TIME = re.compile(r'([0-9]+)([wdhms]?)')
def parse_time(text):
        return reduce(
                lambda s, (v, u): s + int(v, 10) * {
                        '': 1,
                        's': 1,
                        'm': 60,
                        'h': 60*60,
                        'd': 24*60*60,
                        'w': 7*24*60*60,
                }[u],
                RE_TIME.findall(text),
                0)
if configRegistry.is_true('apache2/hsts'):
        options = [
                'max-age=%s' % parse_time(configRegistry.get('apache2/hsts/max-age', '10886400')),
        ]
        if configRegistry.is_true('apache2/hsts/includeSubDomains'):
                options.append('includeSubDomains')
        print '<IfModule mod_headers.c>'
        print 'Header always set Strict-Transport-Security "%s"' % ('; '.join(options),)
        print 'Header set X-Content-Type-Options nosniff'
        print 'Header set X-Frame-Options DENY'
        print 'Header set X-XSS-Protection "1; mode=block"'
        print '</IfModule>'
@!@

#15

As far as I can see, these lines are not present in the original file:

print 'Header set X-Content-Type-Options nosniff'
print 'Header set X-Frame-Options DENY'
print 'Header set X-XSS-Protection "1; mode=block"'

Here is the original file for UCS 4.1: https://forge.univention.org/websvn/filedetails.php?repname=dev&path=%2Fbranches%2Fucs-4.1%2Fucs-4.1-4%2Fservices%2Funivention-apache%2Fconffiles%2Fetc%2Fapache2%2Fsites-available%2Fssl.d%2F10hsts

I understand that it’s sometimes necessary to edit UCR templates, but I strongly recommend to document such changes :slight_smile:

Best regards,
Michael Grandjean


#16

Thanks, the error is gone now

I’ll try the update


#17

@npanic
Packages for UCS 4.2 should have been released a couple of hours ago:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Creation_and_management_of_user_and_Windows_certificates

:slight_smile:


#18

this is great!

is it possible to upgrade without deactivating the cool solutions repo?


#19

Yes, this is now possible. You will get a message if the cool solutions repository is enabled. Also a hint is displayed to set an UCR variable, to allow the update to continue.