Y2k38 Information
Description:
Astaro systems create signing certificates for several functions. These certificates are created with the largest permitted
lifetime, or 9999 days. On September 4, 2010 at 3:14:07 GMT, any new signing certificates created by unpatched Astaro
systems will be created with an expiry date in the past, due to the Y2k38 problem. On older versions, newly user
certificates will also be invalid.
The contents of this article was created by Astaro Support. The content of this article has been validated
Y2k38 Information
Affected systems
An unfixed system is any unit older than 7.507/8.001/2.201 AND without the y2k38 rpm which was spread via pattern (or
-in special cases- via Support).
Problematic areas
FOR ALL AFFECTED SYSTEMS
You should be able to see invalid certificates within the 'Certificate Management' section in WebAdmin. Please check the
end dates of the certificates listed there - it should be far in the future but not in the past.
2.1) Basic setup, which creates 3 CAs for WebAdmin, VPN/users and HTTPS Proxy
• WebAdmin CA will cause an additional browser warning. Connecting to WebAdmin via HTTPS should still be
possible.
As user certs will get invalid once the CA is invalid, services using these certs like SSL VPN will not work.
• HTTPS Proxy CA will be used for generating SSL certs when the proxy is configured to also handle HTTPS
traffic. Certs will always last for 10 years, but the CA will be invalid.
Depending on the exact software version and the exact end of the validity period of the WebAdmin CA, the new
WebAdmin certificate may be invalid.
Whenever we refer to 'update' in the instructions below you can choose from the following four methods:
3.1) Update. EITHER Run factory reset OR import a backup created before 9/4.
In the rare case that neither a factory reset nor importing a clean backup is acceptable, you can try to repair all
consequences of the corrupted basic setup manually, though this is rather complicated and not recommended.
The main challenge is to regenerate the WebAdmin CA, not to be confused with regenerating the WebAdmin certificate,
which would not be sufficient in the present context.
To delete the WebAdmin CA and create a new one, Astaro Support engineers have access to the following shell script,
which is too dangerous to be made available to the general public:
http://wiki.intranet.astaro.de/Image:Delete_webadmin_ca_V7.sh
3.2) Disable Email Encryption. Update. Reenable and then Reset Email encryption.
3.6) Update. Regenerate HTTPS Proxy CA again. Spread/download Proxy verification CA to browsers again.
Deleting a user who had an invalid certificate typically leaves behind an invalid index file in the CA that was used to sign
the user's certificate. In case you cannot create new user accounts and the Confd debug log file (/var/log/confd-debug.log
on ASG V8, /tmp/confd-debug.log on ASG V7) shows the error message
please contact Astaro Support and ask the support engineer to follow the instructions Restricted:Repair corrupted CA
index.
Never install the y2k38 patch on versions 7.507, 8.001, 2.201 or higher. It does not add additional safety to these
systems.
rpm -q y2k38
returns:
package y2k38 is not installed
or:
y2k38-2010-1
• If the package is not installed, then run the following commands to install it:
cd /home/login
wget www.astarosupport.org/files/y2k38-2010-1.i686.rpm
rpm -Uhv y2k38-2010-1.i686.rpm