Failed to enroll certificates

[nem8]

Is there an existing issue for this?

• I have searched the existing issues and found none that matched mine

Describe the issue

Cert enrollment is not working, certificate errors.

Steps to reproduce it

Follow the tutorial for setting up adsys with winbind.
Installing and configuring the roles in AD.

Ubuntu users: System information

ubuntu-bug adsys --save=bug_report.txt

MoTTY X11 proxy: Unsupported authorisation protocol

MoTTY X11 proxy: Unsupported authorisation protocol

(apport-gtk:28587): Gtk-CRITICAL **: 09:21:27.637: _gtk_css_lookup_resolve: assertion '(((extension ({ GTypeInstance __inst = (GTypeInstance) ((provider)); GType __t = ((_gtk_style_provider_private_get_type ())); gboolean __r; if (!__inst) __r = (0); else if (__inst->g_class && __inst->g_class->g_type == __t) __r = (!(0)); else __r = g_type_check_instance_is_a (__inst, __t); __r; }))))' failed
/usr/share/apport/apport-gtk:72: Warning: g_object_set_data_full: assertion 'G_IS_OBJECT (object)' failed
self.widgets.add_from_file(

(apport-gtk:28587): Gtk-ERROR **: 09:21:27.637: Can't create a GtkStyleContext without a display connection
Trace/breakpoint trap (core dumped)

Non Ubuntu users: System information

Environment

• adsys version: 0.13.1
• Distribution: Ubuntu
• Distribution version: 23.10

Log files

Please redact/remove sensitive information:

INFO Using configuration file: /etc/adsys.yaml
INFO New connection from client [[30870:346192]]
INFO [[30870:346192]] No assets directory with GPT.INI file found on AD, skipping assets download
INFO [[30870:346192]] GPO "Default Domain Policy" is already up to date
INFO [[30870:346192]] GPO "XXX-Rootca" is already up to date
INFO [[30870:346192]] GPO "TEST-LNX" is already up to date
INFO [[30870:346192]] GPO "Autenrollment-lnx" is already up to date
INFO [[30870:346192]] Applying policies for emq-lnx-tst (machine: true)
INFO Error sent to client: error while updating policy: failed to apply policy to "emq-lnx-tst": can't apply certificate policy: failed to run certificate autoenrollment script (exited with -1): signal: killed
Global parameter template homedir found in service section!
2023-12-01 09:42:08.474|[E66544]| Failed to fetch the list of supported templates. | {'Error': '2023-12-01 09:42:08,438 __main__:ERROR:Traceback (most recent call last):\n  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 716, in urlopen\n    httplib_response = self._make_request(\n                       ^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 405, in _make_request\n    self._validate_conn(conn)\n  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1061, in _validate_conn\n    conn.connect()\n  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 419, in connect\n    self.sock = ssl_wrap_socket(\n                ^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket\n    ssl_sock = _ssl_wrap_socket_impl(\n               ^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl\n    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket\n    return self.sslsocket_class._create(\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3.11/ssl.py", line 1108, in _create\n    self.do_handshake()\n  File "/usr/lib/python3.11/ssl.py", line 1379, in do_handshake\n    self._sslobj.do_handshake()\nssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 486, in send\n    resp = conn.urlopen(\n           ^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 800, in urlopen\n    retries = retries.increment(\n              ^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 592, in increment\n    raise MaxRetryError(_pool, url, error or ResponseError(cause))\nurllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=\'oldcaserver\', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)\')))\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "/usr/libexec/certmonger/cepces-submit", line 68, in main\n    service = Service(config)\n              ^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/cepces/core.py", line 90, in __init__\n    self._policies = self._xcep.get_policies()\n                     ^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/cepces/xcep/service.py", line 52, in get_policies\n    response = self.send(envelope)\n               ^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/cepces/soap/service.py", line 82, in send\n    req = requests.post(url=self._endpoint,\n          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/requests/api.py", line 115, in post\n    return request("post", url, data=data, json=json, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/requests/api.py", line 59, in request\n    return session.request(method=method, url=url, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 589, in request\n    resp = self.send(prep, **send_kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 703, in send\n    r = adapter.send(request, **kwargs)\n        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 517, in send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError: HTTPSConnectionPool(host=\'oldcaserver\', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)\')))\n\n'}

The following error messages are shown in cepces.log:

2023-12-01 09:17:32,169 __main__:ERROR:Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 716, in urlopen
    httplib_response = self._make_request(
                       ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 405, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1061, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
                ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1108, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1379, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 800, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='oldcaserver', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/libexec/certmonger/cepces-submit", line 68, in main
    service = Service(config)
              ^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cepces/core.py", line 90, in __init__
    self._policies = self._xcep.get_policies()
                     ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cepces/xcep/service.py", line 52, in get_policies
    response = self.send(envelope)
               ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cepces/soap/service.py", line 82, in send
    req = requests.post(url=self._endpoint,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/api.py", line 115, in post
    return request("post", url, data=data, json=json, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 517, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='oldcaserver', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

The above repeats after about 5 minutes when it tries the subca server.

Application settings

Please redact/remove sensitive information:

ad_backend: winbind

Additional information

getcert list returns 0 but i can see that we have gotten some CA certs downloaded on the server.
in /var/lib/adsys/certs:
'xxx issuing ca.0-3.crt'
in /usr/local/share/ca-certificates/:
'xxx issuing ca.0-3.crt'
'xxx-SUBCA.0-3.crt'

I suspect this is related to a setting in AD telling where the clients might obtain certificates as i would think the client should contact the NDES CEP or CES services and not the CA or SUBCA..I would appreciate any pointers to how we can set this up. If someone has a guide that would be helpfull as im not the one setting up AD services myself.

Double check your logs

• I have redacted any sensitive information from the logs

[GabrielNagy]

Hi,

First of all, thanks for your interest in adsys, and for giving the certificates policy a try. Here's the documentation page describing how to set this policy up, along with some external URLs pointing to how to set up AD CS, and some debugging tips: https://canonical-adsys.readthedocs-hosted.com/en/latest/explanation/certificates/

I agree this is very finicky to set up. The way it works under the hood is that adsys sends the domain/realm name to Samba which figures out the AD controller to perform a LDAP search on in order to get the list of CA servers (objectClass=pKIEnrollmentService). This can be overridden if you specify an advanced configuration for the policy which allows you to specify CA servers to use (described here).

In your case it looks like the root certificates were properly fetched from NDES, but the CEP and CES servers certificate configuration might not be correct. SSL issues can be easily debugged with curl or openssl:

# bad, root certificate absent or misconfigured
> curl -I https://adc.example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

# good, no SSL error
> curl -I https://adc.example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
HTTP/2 401
content-length: 1293
content-type: text/html
server: Microsoft-IIS/10.0
www-authenticate: Negotiate
x-powered-by: ASP.NET
date: Wed, 06 Dec 2023 09:42:01 GMT

If the certificate is in /usr/local/share/ca-certificates and you still get an SSL error, I would take a look at the root certificate data (e.g. using openssl x509 -text -in /path/to/certificate.crt) and confirm it matches what you expect -- and the certificate offered by the CEP/CES server (openssl s_client -showcerts adc.example.com:443, replace adc with the hostname of the machine that hosts the CEP/CES services).

I hope this helps!

[jibel]

I'm closing this report due to the lack of response since Gabriel's comment.

Do not hesitate to reopen if it is still an issue.