search

chrismarget / certbot-asa

Cisco ASA plugin for certbot
Other
23 stars 5 forks source link

Unable to complete enrollment on Ubuntu #3

Open Sinaloit opened 7 years ago

Sinaloit commented 7 years ago

I was able to use SSL_CERT_FILE= to get the command line to work but the following happens:

Removed all but last 3 from traceback

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='asa-mgmt', port=443): Max retries exceeded with url: /api/certificate/identity (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

If I use it with just the asa-store option I get an SSL Certificate Validation failure with asa-mgmt. I did use c_rehash on the cert directory. I'm using Ubuntu 16.04. I've also created a cert-validation.cfg file in the /etc/python directory with the following:

[https]
verify=enable

but i'm unsure if that is the proper location for ubuntu, it seems to be though... Unsure if this is something wrong on my end or the actual scripts

chrismarget commented 7 years ago

I've not been down this road on Ubuntu.

Is the curl test (the one without the -k option specified in the readme) working? Asking to make sure you're clear of ASA bug CSCve20346.

The traceback suggests to me that you're not finding the CA certificate which validates the management call to the REST API.

I don't think you need to enable cert validation in a config file because my code is aggressive about requiring it. Not sure though. Anyway, if your verify=enable _wasn'_t working, the failure mode would be accidental success in talking to the server. That is, validation failures would be silently ignored.

The c_rehash thing is only required if we're pointing the python requests() module at a folder. Point it at a specific file (you can do either with the certbot-asa options) and c_rehash isn't required.

Sinaloit commented 7 years ago

The curl test w/o -k works, and i've updated to 9.8.2 and make it past the ASA portion of the negotiations. oddly if I try pointing it at a specific file it fails with the

 PluginError("SSL Certificate Validation failure with asa-mgmt. Consider using the `ignore_cert' CLI option for this plugin.",)

error. using the SSL_CERT_FILE before the command gets me past that but chokes later

I am currently pointing it at a folder that I used c_rehash on. Here are the exact commands (folder and specific file) (minus domain name):

certbot-asa:asa -d <myDomain> --certbot-asa:asa-host asa-mgmt --certbot-asa:asa-castore /etc/ssl/certs
certbot-asa:asa -d <myDomain> --certbot-asa:asa-host asa-mgmt --certbot-asa:asa-castore /etc/ssl/certs/asa-mgmt.pem

To be clear the command that I used that got me the furthest (with the error first mentioned above) is:

SSL_CERT_FILE=/etc/ssl/certs/asa-mgmt.pem certbot -a certbot-asa:asa -d <myDomain> --certbot-asa:asa-host asa-mgmt