Hello Valentijn and thanks for this bug report, it really helped me
figure out an otherwise obscure printing issue.
However I don't agree with the suggested solution: the security model of
cups for ipps is TOFU (trust on first use): the certificate is accepted
the first time and then expected to be the same in the future. This is
why the printer certificate is saved to file in the first place. (This
approach is similar to what SSH uses: the first time you connect to a
host the pubkey is saved in authorized_keys; if at some point the key
changes ssh will refuse to connect and require manual deletion of the
old key from authorized_keys.)
I think this is a UI issue: from the cups web interface or cups logs it
was not clear at all that the issue was with ipps certificate
validation. Cups (or maybe the ipps backend? I'm not that familiar with
cups internals) should log a proper error message instead.
** Changed in: cups (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1984107
Title:
Printer SSL certificates are added but never removed, resulting in "no
suitable destination host found by cups-browsed"
Status in cups package in Ubuntu:
Confirmed
Bug description:
If a printer preferrably prints through ipps, Cups will store the
printers (self signed) certificate in /etc/cups/ssl/
However, if this certificate becomes outdated or invalid, or if it
changes, it will *not be removed* and Cups only complains that the
"backend returned status 4", "No suitable destination host found by
cups-browsed". Even removing the printer manually will not remove the
old certificate, rendering the printer invalid for life: when te
printer re-appears, the old, invalid certificate is still there,
resulting in the printer still not working.
Steps to reproduce:
- use a printer that prefers ipps, let's call it printer_bob
- let this printer appear in your printer list
- make a test print
- Now remove the printer and check that the certificate will survive:
lpadmin -x printer_bob; ls -al /etc/cups/ssl/*bob*crt
What happens:
- certificate is still there
What should happen:
- a removed printer should not have a certificate left
Now in this example, it's rather harmless because the certificate is
probably still valid. But a printer update, rename or otherwise will
render it invalid and printing will become impossible.
You could simulate a name change for printers:
mv /etc/cups/ssl/printer-carol.local.crt /etc/cups/ssl/printer-bob.local.crt
Or simply mess up the certificate:
sed -i '2s/./a/g' /etc/cups/ssl/printer-bob.local.crt
After this, you will *not* be able to print to printer-bob, because
bob has the wrong certificate (obviously). Removing printer-bob does
not help. You will need to manually remove the certificate in order to
make bob print again. /var/log/cups/error.log will only say that "no
suitable destination host found", which is not true: there *is* a
destination but the SSL certificate does not match and Cups will only
try the first printing method, ipps.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1984107/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
