User certificates

Hello,

I read article about using user certificates
wiki.univention.de/index.php?tit … rtificates
and installed all packages that are described there.

Then I ticked “Create/Revoke Certificate” for TestTest user. I thought that action was performed by web UI, because I didn’t get any error messages.
But when I checked content of folder “/etc/univention/ssl/user/TestTest” I found the following:

-rw-r-x--- 1 TestTest Domain Admins 3299 Июл 26 04:08 openssl.cnf
-rw-r-x--- 1 TestTest Domain Admins 1675 Июл 26 04:08 private.key
-rw-r-x--- 1 TestTest Domain Admins 1180 Июл 26 04:08 req.pem
-rw-r-x--- 1 TestTest Domain Admins    9 Июл 26 04:08 TestTest-p12-password.txt

It looked like there is no certificate, which had to be created by UCS.

Next I increased debug level of the listener and I got this:

LISTENER    ( INFO    ) : manageusercertificate: handler
LISTENER    ( INFO    ) : manageusercertificate: create cert TestTest
LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user check -name 'TestTest' -cn 'TestTest' -sslbase '/etc/univention/ssl' -ca 'ucsCA'
LISTENER    ( INFO    ) : manageusercertificate: run /usr/sbin/univention-certificate-user new -name 'TestTest' -cn 'TestTest' -days '365' -email 'xxx@yyy.com' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/user' -sslbase '/etc/univention/ssl' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'ZZZ' -country 'US' -locality 'US'
LISTENER    ( ERROR   ) : manageusercertificate: failed to add certificate to uid=TestTest,cn=users,dc=zzz,dc=local ([Errno 2] No such file or directory: '/etc/univention/ssl/user/TestTest/cert.cer')
LISTENER    ( INFO    ) : manageusercertificate: handler successfully finished
LISTENER    ( INFO    ) : handler: manageusercertificate (successful)
LISTENER    ( INFO    ) : handler: faillog (successful)

I tried to create user certificate manually but attempt failed.

# /usr/sbin/univention-certificate-user new -name 'TestTest' -cn 'TestTest' -days '365' -email 'xxx@yyy.com' -organizationalunit 'Univention Corporate Server' -certpath '/etc/univention/ssl/user' -sslbase '/etc/univention/ssl' -ca 'ucsCA' -admingroup 'Domain Admins' -state 'US' -organization 'zzz' -country 'US' -locality 'US'
Creating certificate: TestTest
/usr/share/univention-ssl/make-certificates-user.sh: line 86: test: too many arguments
Generating RSA private key, 2048 bit long modulus
..................................+++
.........................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:State or Province Name (full name) [US]:Locality Name (eg, city) [US]:Organization Name (eg, company) [ZZZ]:Organizational Unit Name (eg, section) [Univention Corporate Server]:Common Name (eg, YOUR name) [TestTest]:Email Address [xxx@yyy.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name [Univention GmbH]:Using configuration from openssl.cnf
error on line 31 of config file 'openssl.cnf'
139892952479400:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:585:line 31
Error opening Certificate /etc/univention/ssl/user/TestTest/cert.pem
140650868168360:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('/etc/univention/ssl/user/TestTest/cert.pem','r')
140650868168360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
unable to load certificate
Error opening input file /etc/univention/ssl/user/TestTest/cert.pem
/etc/univention/ssl/user/TestTest/cert.pem: No such file or directory

Could you help me to resolve that?

Thanks in advance.

Hello,

Errata 213 (the univention-ssl package therein) breaks this cool solution at the moment. You would need to use a package version of univention-certificate prior to the errata 213 version and then wait for a fix of the cool solution article.
Please understand that there is no guarantee on cool solutions.

Kind regards,
Jens Thorp-Hansen

Edit: an update for the cool solution is on the way and the article will be updated soon.

Hello,

Thank you very much for your reply.

I believe, we can wait an update of the cool solution.

But could you explain to me how I can install package prior to the errata213? Is there some command for that?
Because I am interested in this functionality and I want to check my test environment, which I was planning to use with user certificates.

Thanks in advance.

Hello,

apt-cache policy should show you the installed version and all available versions. Example from my testsystem with the python package:

root@ucs-4684:~# apt-cache policy python-univention python-univention: Installiert: 9.0.1-3.165.201606091857 Installationskandidat: 9.0.1-7.165.201606291851 Versionstabelle: *** 9.0.1-7.165.201606291851 0 500 http://univention-repository.knut.univention.de/4.1/maintained/component/ 4.1-2-errata/all/ Packages 9.0.1-3.161.201606091857 0 500 http://univention-repository.knut.univention.de/4.1/maintained/component/ 4.1-2-errata/all/ Packages 100 /var/lib/dpkg/status 9.0.1-2.159.201601141456 0 500 http://univention-repository.knut.univention.de/4.1/maintained/ 4.1-1/all/ Packages 9.0.1-1.158.201511032337 0 500 http://univention-repository.knut.univention.de/4.1/maintained/ 4.1-0/all/ Packages 8.0.3-9.156.201506260831 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-3/all/ Packages 8.0.3-3.148.201503181639 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-2/all/ Packages 8.0.3-2.146.201410211723 0 500 http://univention-repository.knut.univention.de/4.0/maintained/ 4.0-0/all/ Packages

apt-get install = installs the version you want. Example from my testsystem with the python package:

 root@ucs-4684:~# apt-get install python-univention=9.0.1-3.161.201606091857

At the moment I cannot exactly say which package is at fault here, either the cool solution or the errata 213 documentation (errata.univention.de) should mention this. You then need to use this package.

Hello,

It is wonderful!

Thank you very much for so detailed explanation.
I will try to use that on our test UCS installation.

There is now a update for univention-usercert available.

I’ve just installed updated packages and checked functionality.
It works perfectly!

It is very pleased that you have updated those unmaintained packages.
You are awesome guys!

Thank you very much!

Mastodon