Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate auto-enrollment not working on 24.04 #1106

Open
2 tasks done
falencastro opened this issue Sep 23, 2024 · 3 comments
Open
2 tasks done

Certificate auto-enrollment not working on 24.04 #1106

falencastro opened this issue Sep 23, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@falencastro
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues and found none that matched mine

Describe the issue

Certificate auto-enrollment is not working on Ubuntu Noble, due to python3-cepces calling a deprecated method from cryptography.

journalctl -u certmonger

Sep 17 16:33:49 server1.domain1.local certmonger[37970]: 2024-09-17 16:33:49,102 __main__:ERROR:Traceback (most recent call last):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/libexec/certmonger/cepces-submit", line 72, in main
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     result = operation()
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 254, in __call__
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     certs = list(self._service.certificate_chain or [])
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 161, in certificate_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     return reversed(self._resolve_chain(data))
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                     ^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 325, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     parent = self._resolve_chain(r.text, cert)
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 295, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     elif self._verify_certificate_signature(child, cert):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

Env:

OS:                     Ubuntu 24.04.1 LTS
Python:                 3.12.3
python3-cepces:         0.3.7-0ubuntu1
python3-cryptography:   41.0.7-4ubuntu0.1

Issue upstream: openSUSE/cepces#41
LP report: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751

Steps to reproduce it

  1. adsysctl policy debug cert-autoenroll-script
  2. chmod +x ./cert-autoenroll
  3. export PYTHONPATH=/usr/share/adsys/python
  4. export KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname)
  5. ./cert-autoenroll enroll server1 domain1.local --debug

Ubuntu users: System information

No response

Non Ubuntu users: System information

No response

Additional information

No response

Double check your logs

  • I have redacted any sensitive information from the logs
@falencastro falencastro added the bug Something isn't working label Sep 23, 2024
@didrocks
Copy link
Member

thanks @falencastro for reporting this bug, isolating the issue and fixing it upstream!

It seems we need to then backport this patch to python-cepces package against ubuntu on launchpad (https://launchpad.net/ubuntu/+source/python-cepces)? That will help us starting the Stable Release Upgrade process to backport the fix to 24.04 and oracular. You can link it here then and we will ensure this gets in.

Thanks again for the report and you digging into it!

@falencastro
Copy link
Contributor Author

I opened a case with Canonical support and they created a lp for it: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751

Thx!

@didrocks
Copy link
Member

Thanks a lot! We are looking why our end to end tests, which are running on noble and testing certificates didn’t catch it. Thanks again for the report. I’m keeping it opened to track that the cepces part is going under way in ubuntu.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@didrocks @falencastro