search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

[HELP] Cannot connect Ubuntu Agent SSL Error #224

Closed jwindfelder closed 6 months ago

jwindfelder commented 8 months ago

Hello, I am unable to connect any Ubuntu agent to the Lithnet Access Manager with the Linux Agent. I am able to install the agent and run the setup script, however we are seeing the following error in the logs of the Agent. We are running Ubuntu 22.04.3 LTS and the Access Manager is running on a Windows 2022 Standard Server 21H2 LAPS Access Manager Version is 2.0.9430.0. Thank you!



Lithnet.AccessManager.Agent.AmsLapsAgent[0] Unable to connect to server System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)    --- End of inner exception stack trace ---    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)    at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)    at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)    at Lithnet.AccessManager.Agent.Shared.Providers.ApiVersionResolver.GetApiVersion() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/ApiVersionResolver.cs:line 61    at Lithnet.AccessManager.Agent.Shared.Providers.ApiVersionResolver.GetApiVersionAsync() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/ApiVersionResolver.cs:line 41    at Lithnet.AccessManager.Agent.HostBuilderExtensions.BuildBaseUriVersionedAsync(IServiceProvider serviceProvider) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Extensions/HostBuilderExtensions.cs:line 108    at Lithnet.AccessManager.Agent.HostBuilderExtensions.<>c.<ConfigureAccessManagerAgent>b__2_6(IServiceProvider serviceProvider, HttpClient c) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Extensions/HostBuilderExtensions.cs:line 73    at Microsoft.Extensions.DependencyInjection.HttpClientBuilderExtensions.<>c__DisplayClass1_1.<ConfigureHttpClient>b__2(HttpClient client)    at Microsoft.Extensions.Http.DefaultHttpClientFactory.CreateClient(String name)    at Lithnet.AccessManager.Agent.Providers.AmsApiHttpClient.get_BaseAddress() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/AmiApiHttpClient.cs:line 31    at Lithnet.AccessManager.Agent.Providers.AmsApiHttpClient.BuildUrl(String path) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/AmiApiHttpClient.cs:line 40    at Lithnet.AccessManager.Agent.Providers.RegistrationProvider.GetRegistrationResponse() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/RegistrationProvider.cs:line 54    at Lithnet.AccessManager.Agent.Providers.RegistrationProvider.RegisterAgent() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/RegistrationProvider.cs:line 34    at Lithnet.AccessManager.Agent.AmsLapsAgent.CanContinueAms() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 221    at Lithnet.AccessManager.Agent.AmsLapsAgent.CanContinue() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 149    at Lithnet.AccessManager.Agent.AmsLapsAgent.DoCheckAsync() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 50```
ryannewington commented 8 months ago

Hi @jwindfelder

It looks like the OS is unable to validate the TLS certificate used by the AMS server.

The remote certificate is invalid because of errors in the certificate chain: PartialChain

Is it a self signed certificate or from an internal CA? You'll need to add it to the openssl trust store.

https://ubuntu.com/server/docs/security-trust-store

You can use the verify command from OpenSSL to test the certificate trust outside of access manger which should give you a bit more information about what specifically is wrong.

https://docs.lithnet.io/ams/installation/installing-the-access-manager-agent/installing-the-access-manager-agent-linux#prerequisites

stale[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

jwindfelder commented 8 months ago

I tried to install the cert to the client (running Ubuntu) and it did not work. It seems like it installed fine, however I try to setup LAPS again and it still fails to establish a secure connection.

I have the AMS server running on Windows Server 2022, how should I extract the cert from there to place onto the clients?

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

jwindfelder commented 7 months ago

Hi any updates?

jcspencer commented 7 months ago

Hi @jwindfelder,

.NET will use the Ubuntu certificate trust store to validate that the certificate matches.

One simple way to test whether the certificate is trusted is to run:

curl -vvv https://<your_access_manager_ip>/api

If you notice that this command outputs a certificate trust error, it indicates that the certificate is trusted in the OS certificate store.

If the certificate on your AMS server is signed by an internal CA, you will need to import the corresponding CA certificate into the OS trust store.

From the Ubuntu documentation:

To install a certificate in the trust store it must be in PEM form. A PEM-formatted certificate is human-readable in base64 format, and starts with the lines ----BEGIN CERTIFICATE----. If you see these lines, you’re ready to install. If not, it is most likely a DER certificate and needs to be converted.

Assuming a PEM-formatted root CA certificate is in local-ca.crt, follow the steps below to install it.

Note: It is important to have the .crt extension on the file, otherwise it will not be processed.

$ sudo apt-get install -y ca-certificates
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

Let us know if this fixes your issue!

jwindfelder commented 7 months ago

I just installed the .crt file in PEM format. When I make a request to the server with CURL I get a good response (see below). However when I try to reconfigure the AMS agent it throws the same SSL error.

image

jcspencer commented 7 months ago

Hi @jwindfelder, that's very strange!

If you look at the certificate in the browser, are there any intermediate certificates in the path?

You may need to import the intermediate certificate into the store too. It seems .NET is unable to validate the full chain.

Let me know if this changes the agent's response - in the meantime I will investigate whether this is something we can change in the agent itself.

Cheers

jwindfelder commented 7 months ago

Looks like there is no other cert. image

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

ryannewington commented 7 months ago

@jwindfelder was this a self-signed certificate generated via PowerShell?

jwindfelder commented 7 months ago

No, this was generated via the Lithnet AMS management application.

From: Ryan Newington @.> Sent: Sunday, January 28, 2024 4:23 AM To: lithnet/access-manager @.> Cc: Joey Windfelder @.>; Mention @.> Subject: Re: [lithnet/access-manager] [HELP] Cannot connect Ubuntu Agent SSL Error (Issue #224)

You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

@jwindfelderhttps://github.com/jwindfelder was this a self-signed certificate generated via PowerShell?

— Reply to this email directly, view it on GitHubhttps://github.com/lithnet/access-manager/issues/224#issuecomment-1913529957, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKZ6RQLJG4KZSXKFCHFL7A3YQYKJJAVCNFSM6AAAAABAG6WSBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGUZDSOJVG4. You are receiving this because you were mentioned.Message ID: @.***>

[DNMG Logo] The Double Negative Media Group is an equal opportunity employer. It does not discriminate on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, marital status, disability, age, genetic information or veteran's status in employment or its programs and activities.

ryannewington commented 7 months ago

@jwindfelder the AMS doesn't provide a mechanism to generate certificates.

The reason I ask is that self signed certificates generated from PowerShell are known to have issues being added to the trust store on Linux. They are missing an attribute needed to be recognised as a CA cert.

stale[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.