Linux version

[aitzubi]

Hi @bb-froggy ,

As a recent Scepman customer, i would love to have a linux version of scepclient. I compiled it using dotnet in Ubuntu but I am getting this error whenever I try to request a cert using the static endpoint:

Unhandled exception. System.ArgumentException: The SCEP service uses a certificate that is not trusted in this context. Add the CA certificate to the Trusted Root store in Windows. at ScepClient.ScepClient.CreateEnvelopedDataPkcs7(Byte[] pkcs10RequestData, X509Certificate2Collection caChain) in /home/aitzol/scepman/scepclient/ScepClient.cs:line 404 at ScepClient.ScepClient.SubmitPkcs10ToScep(String scepURL, Byte[] pkcs10, X509Certificate2 signerCert) in /home/aitzol/scepman/scepclient/ScepClient.cs:line 358 at ScepClient.ScepClient.GenerateNew(String scepURL, String pfxOutputPath, String certOutputPath, String pkcs10OutputPath, String challengePassword, String cN, IEnumerable1 additionalDNSEntries, IEnumerable1 keyPurposes) in /home/aitzol/scepman/scepclient/ScepClient.cs:line 344 at ScepClient.ScepClient.Main(String[] args) in /home/aitzol/scepman/scepclient/ScepClient.cs:line 92 Aborted (core dumped)

Can you help me with this? Would it be possible to have a Linux client?

Kind regards,

[bb-froggy]

Hi aitzubi,

we have a customer that reported to use ScepClient on Linux. Maybe the error message is misleading ... the problem of the untrusted CA is quite common and I wanted to give users a hint on what they should do to fix it. I targeted the error message at Windows users because that's the usual use case.

The error message appears if the SCEPman CA certificate is not trusted on the machine. I am not sure how Linux determines which Root CAs are trusted and which are not. Possibly, you find that out given this explanation of the error? @gk-fschubert, do you know this?

And you do not necessarily need to compile it specifically for Ubuntu. You might also create an OS-independent version that requires dotnet to be installed on the machine and which runs on any OS. I will add one to the releases.

[aitzubi]

Hi @bb-froggy ,

I´ve added our CA certificate to the Ubuntu machine using the update-ca-certificates command. It is added correctly.

And I´ve compiled scepclient for linux-x64 architecture.

The thing is that it throws the error above but does not generate the certs.

[gk-fschubert]

They are placed here: /etc/ssl/certs/ca-certificates.crt

[aitzubi]

yes, after running update-ca-certificates it adds the CA cert to that file and that folder.

But somehow, scepclient does not detect the CA certificate.

I am assuming that it throws that error because it needs the CA certificate from our SCEPman installation. Or is it asking about the app service certificate of the endpoint?

[bb-froggy]

It is the CA certificate of the SCEPman installation. Does SCEPman use a Root CA directly (the default) or does it use an Intermediate CA certificate?

I have just checked that this works with an Ubuntu distribution on WSL. I could reproduce the error when SCEPman's CA certificate was not in /etc/ssl/cert/ca-certificates.crt and was able to fix it by adding it with update-ca-certificates. However, the CA certificate needed to be in PEM format. When downloading the CA certificate from the SCEPman homepage, it is DER-encoded, so I first had to convert it. When adding the DER-encoded certificate, update-ca-certificates printed out a warning, but still reported that a certificate was added (and indeed, the /etc/ssl/cert/ca-certificates.crt did contain the DER-encoded certificate), but this still produces the error you are seeing. Could this be your problem, too?

[aitzubi]

Hi @bb-froggy ,

Yeah, I converted the CA cert to PEM format and I can see it attached to the ca-certificates.crt file (at the very end of the file). But it still complains about the CA Certificate and does not generate the new certs.

I am also using ubuntu in WSL (Windows 10).

[bb-froggy]

There is now an official Linux release: https://github.com/scepman/scepclient/releases/tag/20221214-1303-linux-core

I find it very unlikely, though, that this release will solve your specific issue. You might still want to try.

I will improve the error analysis and output in error cases to help you find the cause of your problem. Another approach would be to set up a SCEPman instance that we can both access, so we can compare our environments and find the culprit.

[bb-froggy]

I have added some code (7312d8c) to analyze why the CA certificate is not trusted. However, I couldn't test it, because I did not succeed in making my CA certificate untrusted again. I removed it from /etc/ssl/certs/ca-certificates.crt via update-ca-certificates, but it's still working smoothly. So I have the opposite of your case, but it might be the same cause. Effectively, we are both experiencing that the trust in ScepClient (i.e. dotnetcore) seemingly does not reflect the current status of the certificate trust list. Maybe something is cached somewhere? Anyway, I can only look into this tomorrow again. Maybe you make some progress, @aitzubi .

[aitzubi]

Hi @bb-froggy ,

Just tested your new linux release and it works!

I haven´t tested your last commit, only the release.

Thank you so much for everything!

[bb-froggy]

Okay, glad to hear ... I improved platform specific outputs, but I don't know how I could have fixed your issue with my changes, but I am happy it is resolved now :-).