Astaro Support Center

Y2k38 Information

Last Updated: 09/17/2010

Description:
Astaro systems create signing certificates for several functions. These certificates are created with the largest permitted
lifetime, or 9999 days. On September 4, 2010 at 3:14:07 GMT, any new signing certificates created by unpatched Astaro
systems will be created with an expiry date in the past, due to the Y2k38 problem. On older versions, newly user
certificates will also be invalid.

The contents of this article was created by Astaro Support. The content of this article has been validated
 Y2k38 Information

Affected systems
An unfixed system is any unit older than 7.507/8.001/2.201 AND without the y2k38 rpm which was spread via pattern (or
-in special cases- via Support).

1.1) AxG <= 7.101

• All CAs generated after 9/4 will be invalid (expired)

• All user certs generated after 9/4 will be invalid

1.2) AxG 7.102-7.506 & ASG 8.000 & ACC 2.000-2.200

• All CAs generated after 9/4 will be invalid (expired)

• Certs generated after 9/4 will be ok as long as CA is ok and CA validity does not end on day 1 to 9, but does end
on day 10 to 31 of any month

Problematic areas
FOR ALL AFFECTED SYSTEMS

You should be able to see invalid certificates within the 'Certificate Management' section in WebAdmin. Please check the
end dates of the certificates listed there - it should be far in the future but not in the past.

On an unfixed system, the following operations are known to cause problems:

2.1) Basic setup, which creates 3 CAs for WebAdmin, VPN/users and HTTPS Proxy

• WebAdmin CA will cause an additional browser warning. Connecting to WebAdmin via HTTPS should still be
possible.

• VPN/user CA will be used for signing user certs.

As user certs will get invalid once the CA is invalid, services using these certs like SSL VPN will not work.

• HTTPS Proxy CA will be used for generating SSL certs when the proxy is configured to also handle HTTPS
traffic. Certs will always last for 10 years, but the CA will be invalid.

2.2) Enable or flush Email Encryption

• Email Encryption will not work

2.3) Enable RED

• RED will not work

2.4) Regenerate WebAdmin certificate

Depending on the exact software version and the exact end of the validity period of the WebAdmin CA, the new
WebAdmin certificate may be invalid.

2.5) Regenerate VPN/user CA

2.6) Regenerate HTTPS Proxy CA

FOR AxG <7.102 ONLY (see 1.1)

2.7) Create a new user

• User certs will get invalid independent from the CA enddate.

How to solve on unfixed systems

An unfixed system is any unit older than 7.507/8.001/2.201 AND without the y2k38 rpm which was spread via pattern or
-in special cases- via Support. In general, there are latest images for all types of units (software, hardware, virtual)
available on our FTP site. We also offer Up2Date packages for offline installation.

Whenever we refer to 'update' in the instructions below you can choose from the following four methods:

• Apply all System Up2Dates, normally using the WebAdmin

♦ This is the recommended standard method.
• Or reinstall from the latest image and reconfigure from scratch
♦ This is recommended when most of your CA certificates are corrupted, and when setting up the firewall
without using a backup is easy for you because you do not need to change much with respect to the
default configuration. Note that creating a backup file after 9/4, reinstalling and restoring the backup will
usually not solve the problem completely: The defective certificates are contained in the backup and will
be back when you restore the backup, so you still need to clean them up as described below.
• Or install Pattern updates (then check global pattern version)
• Or install the y2k38 RPM (rpm -q y2k38)
♦ The latter two should only be regarded as preliminary workarounds. For maximum protection, you should
always update to the latest System Up2Date version as soon as that's convenient for you.

The items below refer to the corresponding problematic areas.

3.1) Update. EITHER Run factory reset OR import a backup created before 9/4.

In the rare case that neither a factory reset nor importing a clean backup is acceptable, you can try to repair all
consequences of the corrupted basic setup manually, though this is rather complicated and not recommended.

• Regarding the VPN/user CA, refer to paragraph 3.5.

• Regarding the HTTP/S Proxy CA, refer to paragraph 3.6.

The main challenge is to regenerate the WebAdmin CA, not to be confused with regenerating the WebAdmin certificate,
which would not be sufficient in the present context.

To delete the WebAdmin CA and create a new one, Astaro Support engineers have access to the following shell script,
which is too dangerous to be made available to the general public:

http://wiki.intranet.astaro.de/Image:Delete_webadmin_ca_V7.sh

3.2) Disable Email Encryption. Update. Reenable and then Reset Email encryption.

3.3) Disable RED. Update. Reenable RED.

3.4) Update. Regenerate WebAdmin certificate again.

3.5) Update. Regenerate VPN/user CA again. Spread user certs again.

3.6) Update. Regenerate HTTPS Proxy CA again. Spread/download Proxy verification CA to browsers again.

3.7) Update. Delete user. Recreate user.

Deleting a user who had an invalid certificate typically leaves behind an invalid index file in the CA that was used to sign
the user's certificate. In case you cannot create new user accounts and the Confd debug log file (/var/log/confd-debug.log
on ASG V8, /tmp/confd-debug.log on ASG V7) shows the error message

Using configuration from /etc/ssl/openssl.cnf

entry N: invalid expiry date

please contact Astaro Support and ask the support engineer to follow the instructions Restricted:Repair corrupted CA
index.

Manually Installing patch

This is only relevant on systems older than 7.507/8.001/2.201 when upgrading to 7.507, 8.001, 2.201 or higher is not an
option. If possible, upgrading is a much better solution.

Never install the y2k38 patch on versions 7.507, 8.001, 2.201 or higher. It does not add additional safety to these
systems.

4.1) Test if patch is already installed

• Login to firewall shell as root

• run the following command:

rpm -q y2k38
returns:
package y2k38 is not installed
or:
y2k38-2010-1

4.2) Installing the patch

• If the package is not installed, then run the following commands to install it:

cd /home/login
wget www.astarosupport.org/files/y2k38-2010-1.i686.rpm
rpm -Uhv y2k38-2010-1.i686.rpm