search

ubuntu / adsys

Active Directory bridging tool suite
GNU General Public License v3.0
198 stars 51 forks source link

Certificate auto-enrollment not working on 24.04 #1106

Open falencastro opened 4 days ago

falencastro commented 4 days ago

Is there an existing issue for this?

Describe the issue

Certificate auto-enrollment is not working on Ubuntu Noble, due to python3-cepces calling a deprecated method from cryptography.

journalctl -u certmonger

Sep 17 16:33:49 server1.domain1.local certmonger[37970]: 2024-09-17 16:33:49,102 __main__:ERROR:Traceback (most recent call last):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/libexec/certmonger/cepces-submit", line 72, in main
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     result = operation()
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 254, in __call__
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     certs = list(self._service.certificate_chain or [])
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 161, in certificate_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     return reversed(self._resolve_chain(data))
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                     ^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 325, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     parent = self._resolve_chain(r.text, cert)
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 295, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     elif self._verify_certificate_signature(child, cert):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

Env:

OS:                     Ubuntu 24.04.1 LTS
Python:                 3.12.3
python3-cepces:         0.3.7-0ubuntu1
python3-cryptography:   41.0.7-4ubuntu0.1

Issue upstream: https://github.com/openSUSE/cepces/issues/41 LP report: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751

Steps to reproduce it

  1. adsysctl policy debug cert-autoenroll-script
  2. chmod +x ./cert-autoenroll
  3. export PYTHONPATH=/usr/share/adsys/python
  4. export KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname)
  5. ./cert-autoenroll enroll server1 domain1.local --debug

Ubuntu users: System information

No response

Non Ubuntu users: System information

No response

Additional information

No response

Double check your logs

didrocks commented 2 days ago

thanks @falencastro for reporting this bug, isolating the issue and fixing it upstream!

It seems we need to then backport this patch to python-cepces package against ubuntu on launchpad (https://launchpad.net/ubuntu/+source/python-cepces)? That will help us starting the Stable Release Upgrade process to backport the fix to 24.04 and oracular. You can link it here then and we will ensure this gets in.

Thanks again for the report and you digging into it!

falencastro commented 2 days ago

I opened a case with Canonical support and they created a lp for it: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751

Thx!

didrocks commented 2 days ago

Thanks a lot! We are looking why our end to end tests, which are running on noble and testing certificates didn’t catch it. Thanks again for the report. I’m keeping it opened to track that the cepces part is going under way in ubuntu.