search

openSUSE / cepces

cepces is an application for enrolling certificates through CEP and CES.
GNU General Public License v3.0
30 stars 21 forks source link

Error with --principals CA parameter #27

Open adam-kosseck opened 2 years ago

adam-kosseck commented 2 years ago

Following setup instructions in the cepces project's readme.rst I add a cepces-ca like this: getcert add-ca -c cepces-ca -e '/usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$@TEST.LOCAL'

This then shows up under getcert:

CA 'cepces-ca':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$@TEST.LOCAL

However when I try to generate a cert request it fails:

Oct 31 14:21:23 vm1 certmonger[1936]: 2022-10-31 14:21:23,777 __main__:ERROR:Traceback (most recent call last):
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/libexec/certmonger/cepces-submit", line 64, in main
Oct 31 14:21:23 vm1 certmonger[1936]:    krb5_overrides=krb5_overrides)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib/python3.6/site-packages/cepces/config.py", line 144, in load
Oct 31 14:21:23 vm1 certmonger[1936]:    config['kerberos'][key] = val
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 1238, in __setitem__
Oct 31 14:21:23 vm1 certmonger[1936]:    return self._parser.set(self._name, key, value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 1193, in set
Oct 31 14:21:23 vm1 certmonger[1936]:    super().set(section, option, value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 894, in set
Oct 31 14:21:23 vm1 certmonger[1936]:    value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 463, in before_set
Oct 31 14:21:23 vm1 certmonger[1936]:    "position %d" % (value, tmp_value.find('$')))
Oct 31 14:21:23 vm1 certmonger[1936]: ValueError: invalid interpolation syntax in 'VM1$@TEST.LOCAL' at position 3

For reference the keytab is like this:

[root@vm1 log]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 27/10/22 15:48:51 VM1$@TEST.LOCAL
   2 27/10/22 15:48:51 VM1$@TEST.LOCAL
   2 27/10/22 15:48:51 host/VM1@TEST.LOCAL
   2 27/10/22 15:48:51 host/VM1@TEST.LOCAL
   2 27/10/22 15:48:51 host/vm1.test.local@TEST.LOCAL
   2 27/10/22 15:48:51 host/vm1.test.local@TEST.LOCAL
   2 27/10/22 15:48:51 RestrictedKrbHost/VM1@TEST.LOCAL
   2 27/10/22 15:48:51 RestrictedKrbHost/VM1@TEST.LOCAL
   2 27/10/22 15:48:51 RestrictedKrbHost/vm1.test.local@TEST.LOCAL
   2 27/10/22 15:48:51 RestrictedKrbHost/vm1.test.local@TEST.LOCAL

If I add the CA without the --principals option, I do not get this error.

This is on a RHEL 8.6 system, running cepces 0.3.5-6.el8.noarch

dmulder commented 1 year ago

Oh, it's because it's trying to do a string replace on 'principals'. The 'principals' keyword isn't supposed to be the actual principal, but a matching string. Take a look at cepces.conf:

# A list of principals to try when requesting a ticket.
#
# Default: <empty list>
principals=
  ${shortname}$$
  ${SHORTNAME}$$
  host/${SHORTNAME}
  host/${fqdn}

So in your example, you would want to either set --principals='host/${fqdn}', or just leave out that parameter and let it do automatic matching.

dmulder commented 1 year ago

I think you can work around this by instead using '$$' in the principal name:

getcert add-ca -c cepces-ca -e '/usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$$@TEST.LOCAL'
adam-kosseck commented 1 year ago

Ok if it's a usage issue then the docs need to be updated: