gaston-alma / munki

Automatically exported from code.google.com/p/munki
Other
0 stars 0 forks source link

Certificate Bundles - Munki Certificate Issue after changing fro cURL to NSURL #392

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
certificate import process using the ca.pem file needs to import certificate 
bundles and not just the first certificate in the file. this is was appeared to 
occur when using cURL

What steps will reproduce the problem?
1. requiring client certificate authentication on Munki Server
2. Having a CA Chain in Managed Installs/cert/ca.pem (structure root CA then 
intermediate CA)
3. running Munkitools 2.1.1.2353 on client machine
4. running managedsoftwareupdate --checkonly

What is the expected output?

Managed Software Update Tool
Copyright 2010-2014 The Munki Project
https://github.com/munki/munki

Starting...
    Performing preflight tasks...
    preflight stdout: 
        -- Executing: /usr/local/munki/preflight.d/disableUpdates --
        Disable update check requires run type. Assuming enabled and exiting...

        -- Executing: /usr/local/munki/preflight.d/munkiwebadmin_preflight --
        Preflight report submmitted for mac01.edu.au.
    Completed creation of client keychain at /Library/Managed Installs/Keychains/munki.keychain
Checking for available updates.

 What do you see instead?

Managed Software Update Tool
Copyright 2010-2014 The Munki Project
https://github.com/munki/munki

Starting...
    Performing preflight tasks...
    preflight stdout: 
        -- Executing: /usr/local/munki/preflight.d/disableUpdates --
        Disable update check requires run type. Assuming enabled and exiting...

        -- Executing: /usr/local/munki/preflight.d/munkiwebadmin_preflight --
        Preflight report submmitted for mac01.edu.au.
    Completed creation of client keychain at /Library/Managed Installs/Keychains/munki.keychain
Checking for available updates...
2015-01-21 12:31:18.943 Python[49605:2b23] CFNetwork SSLHandshake failed (-9831)
2015-01-21 12:31:18.944 Python[49605:2b23] NSURLConnection/CFURLConnection HTTP 
load failed (kCFStreamErrorDomainSSL, -9831)
ERROR: Could not retrieve manifest mac01 from the server: Error -1205: The 
server “munkiprod.edu.au” did not accept the certificate.
ERROR: Could not retrieve managed install primary manifest.

What version of the Munki tools/InstallOSpkg tools are you using? On what
version of OS X? running OS X 10.9.5 with Munkitools 2.1.1.2353 

Please provide any additional information below.

from what i can see,
our ca.pem which contained the root CA then the intermediate CA (intermediate 
CA is used to sign the client certificate) only the first certificate is 
imported into the keychain when running managedsoftwareupdates, in this case 
the intermediate CA was never imported, as a result the clients certificate is 
untrusted.

i was able to validate this by adjusting the ca.pem file to only include the 
intermediate CA, when running managedsoftwareupdate the certificate was 
imported but due to it not being trusted it still failed with the error 
"ERROR: Could not add CA cert /Library/Managed Installs/certs/ca.pem into 
System keychain: 1: SecTrustSettingsSetTrustSettings: One or more parameters 
passed to a function were not valid."

checking the key chain i could see the intermediate CA was now in the keychain

I then changed back to having the ca.pem file with the Root CA then the 
intermediate CA,
running managedsoftwareupdate then updated as expected as the keychain was now 
able to associate the client certificate with the intermediate which was 
associated with the root CA.

Original issue reported on code.google.com by LT.Shall...@gmail.com on 21 Jan 2015 at 7:21

GoogleCodeExporter commented 8 years ago
Munki moved to GitHub back in September. Please open an issue here: 
https://github.com/munki/munki/issues (should be mostly copy/paste)

Original comment by gregnea...@mac.com on 21 Jan 2015 at 2:21

GoogleCodeExporter commented 8 years ago
Closing since issue was opened on GitHub as requested

Original comment by gregnea...@mac.com on 21 Jan 2015 at 10:26