User certificates


#1

Hello,

I read article about using user certificates
wiki.univention.de/index.php?tit … rtificates
and installed all packages that are described there.

Then I ticked “Create/Revoke Certificate” for TestTest user. I thought that action was performed by web UI, because I didn’t get any error messages.
But when I checked content of folder “/etc/univention/ssl/user/TestTest” I found the following:

-rw-r-x--- 1 TestTest Domain Admins 3299 Июл 26 04:08 openssl.cnf
-rw-r-x--- 1 TestTest Domain Admins 1675 Июл 26 04:08 private.key
-rw-r-x--- 1 TestTest Domain Admins 1180 Июл 26 04:08 req.pem
-rw-r-x--- 1 TestTest Domain Admins    9 Июл 26 04:08 TestTest-p12-password.txt

It looked like there is no certificate, which had to be created by UCS.

Next I increased debug level of the listener and I got this:

LISTENER    ( INFO    ) : manageusercertificate: handler
LISTENER    ( INFO    ) : manageusercertificate: create cert TestTest
LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name 'TestTest' -cn 'TestTest' -sslbase '/etc/univention/ssl' -ca 'ucsCA'
LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name 'TestTest' -cn 'TestTest' -days '365' -email 'xxx@yyy.com' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/user' -sslbase '/etc/univention/ssl' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'ZZZ' -country 'US' -locality 'US'
LISTENER    ( ERROR   ) : manageusercertificate: failed to add certificate to uid=TestTest,cn=users,dc=zzz,dc=local ([Errno 2] No such file or directory: '/etc/univention/ssl/user/TestTest/cert.cer')
LISTENER    ( INFO    ) : manageusercertificate: handler successfully finished
LISTENER    ( INFO    ) : handler: manageusercertificate (successful)
LISTENER    ( INFO    ) : handler: faillog (successful)

I tried to create user certificate manually but attempt failed.

# /usr/sbin/univention-certificate-user new -name 'TestTest' -cn 'TestTest' -days '365' -email 'xxx@yyy.com' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/user' -sslbase '/etc/univention/ssl' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'zzz' -country 'US' -locality 'US'
Creating certificate: TestTest
/usr/share/univention-ssl/make-certificates-user.sh: line 86: test: too many arguments
Generating RSA private key, 2048 bit long modulus
..................................+++
.........................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:State or Province Name (full name) [US]:Locality Name (eg, city) [US]:Organization Name (eg, company) [ZZZ]:Organizational Unit Name (eg, section) [Univention Corporate Server]:Common Name (eg, YOUR name) [TestTest]:Email Address [xxx@yyy.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name [Univention GmbH]:Using configuration from openssl.cnf
error on line 31 of config file 'openssl.cnf'
139892952479400:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:585:line 31
Error opening Certificate /etc/univention/ssl/user/TestTest/cert.pem
140650868168360:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('/etc/univention/ssl/user/TestTest/cert.pem','r')
140650868168360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
unable to load certificate
Error opening input file /etc/univention/ssl/user/TestTest/cert.pem
/etc/univention/ssl/user/TestTest/cert.pem: No such file or directory

Could you help me to resolve that?

Thanks in advance.


#2

Hello,

Errata 213 (the univention-ssl package therein) breaks this cool solution at the moment. You would need to use a package version of univention-certificate prior to the errata 213 version and then wait for a fix of the cool solution article.
Please understand that there is no guarantee on cool solutions.

Kind regards,
Jens Thorp-Hansen

Edit: an update for the cool solution is on the way and the article will be updated soon.


#3

Hello,

Thank you very much for your reply.

I believe, we can wait an update of the cool solution.

But could you explain to me how I can install package prior to the errata213? Is there some command for that?
Because I am interested in this functionality and I want to check my test environment, which I was planning to use with user certificates.

Thanks in advance.


#4

Hello,

apt-cache policy should show you the installed version and all available versions. Example from my testsystem with the python package:

root@ucs-4684:~# apt-cache policy python-univention python-univention: Installiert: 9.0.1-3.165.201606091857 Installationskandidat: 9.0.1-7.165.201606291851 Versionstabelle: *** 9.0.1-7.165.201606291851 0 500 http://univention-repository.knut.univention.de/4.1/maintained/component/ 4.1-2-errata/all/ Packages 9.0.1-3.161.201606091857 0 500 http://univention-repository.knut.univention.de/4.1/maintained/component/ 4.1-2-errata/all/ Packages 100 /var/lib/dpkg/status 9.0.1-2.159.201601141456 0 500 http://univention-repository.knut.univention.de/4.1/maintained/ 4.1-1/all/ Packages 9.0.1-1.158.201511032337 0 500 http://univention-repository.knut.univention.de/4.1/maintained/ 4.1-0/all/ Packages 8.0.3-9.156.201506260831 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-3/all/ Packages 8.0.3-3.148.201503181639 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-2/all/ Packages 8.0.3-2.146.201410211723 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-0/all/ Packages

apt-get install = installs the version you want. Example from my testsystem with the python package:

 root@ucs-4684:~# apt-get install python-univention=9.0.1-3.161.201606091857

At the moment I cannot exactly say which package is at fault here, either the cool solution or the errata 213 documentation (errata.univention.de) should mention this. You then need to use this package.


#5

Hello,

It is wonderful!

Thank you very much for so detailed explanation.
I will try to use that on our test UCS installation.


#6

There is now a update for univention-usercert available.


#7

I’ve just installed updated packages and checked functionality.
It works perfectly!

It is very pleased that you have updated those unmaintained packages.
You are awesome guys!

Thank you very much!