lithnet/access-manager

[HELP] Cannot connect Ubuntu Agent SSL Error

jwindfelder opened this issue · 14 comments

jwindfelder commented

Hello, I am unable to connect any Ubuntu agent to the Lithnet Access Manager with the Linux Agent. I am able to install the agent and run the setup script, however we are seeing the following error in the logs of the Agent. We are running Ubuntu 22.04.3 LTS and the Access Manager is running on a Windows 2022 Standard Server 21H2 LAPS Access Manager Version is 2.0.9430.0. Thank you!


Lithnet.AccessManager.Agent.AmsLapsAgent[0] Unable to connect to server System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)    --- End of inner exception stack trace ---    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)    at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)    at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)    at Lithnet.AccessManager.Agent.Shared.Providers.ApiVersionResolver.GetApiVersion() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/ApiVersionResolver.cs:line 61    at Lithnet.AccessManager.Agent.Shared.Providers.ApiVersionResolver.GetApiVersionAsync() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/ApiVersionResolver.cs:line 41    at Lithnet.AccessManager.Agent.HostBuilderExtensions.BuildBaseUriVersionedAsync(IServiceProvider serviceProvider) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Extensions/HostBuilderExtensions.cs:line 108    at Lithnet.AccessManager.Agent.HostBuilderExtensions.<>c.<ConfigureAccessManagerAgent>b__2_6(IServiceProvider serviceProvider, HttpClient c) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Extensions/HostBuilderExtensions.cs:line 73    at Microsoft.Extensions.DependencyInjection.HttpClientBuilderExtensions.<>c__DisplayClass1_1.<ConfigureHttpClient>b__2(HttpClient client)    at Microsoft.Extensions.Http.DefaultHttpClientFactory.CreateClient(String name)    at Lithnet.AccessManager.Agent.Providers.AmsApiHttpClient.get_BaseAddress() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/AmiApiHttpClient.cs:line 31    at Lithnet.AccessManager.Agent.Providers.AmsApiHttpClient.BuildUrl(String path) in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/AmiApiHttpClient.cs:line 40    at Lithnet.AccessManager.Agent.Providers.RegistrationProvider.GetRegistrationResponse() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/RegistrationProvider.cs:line 54    at Lithnet.AccessManager.Agent.Providers.RegistrationProvider.RegisterAgent() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/Providers/RegistrationProvider.cs:line 34    at Lithnet.AccessManager.Agent.AmsLapsAgent.CanContinueAms() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 221    at Lithnet.AccessManager.Agent.AmsLapsAgent.CanContinue() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 149    at Lithnet.AccessManager.Agent.AmsLapsAgent.DoCheckAsync() in /home/vsts/work/1/s/src/Lithnet.AccessManager/Lithnet.AccessManager.Agent/AmsLapsAgent.cs:line 50```
ryannewington commented

Hi @jwindfelder

It looks like the OS is unable to validate the TLS certificate used by the AMS server.

The remote certificate is invalid because of errors in the certificate chain: PartialChain

Is it a self signed certificate or from an internal CA? You'll need to add it to the openssl trust store.

https://ubuntu.com/server/docs/security-trust-store

You can use the verify command from OpenSSL to test the certificate trust outside of access manger which should give you a bit more information about what specifically is wrong.

https://docs.lithnet.io/ams/installation/installing-the-access-manager-agent/installing-the-access-manager-agent-linux#prerequisites

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

jwindfelder commented

I tried to install the cert to the client (running Ubuntu) and it did not work. It seems like it installed fine, however I try to setup LAPS again and it still fails to establish a secure connection.

I have the AMS server running on Windows Server 2022, how should I extract the cert from there to place onto the clients?

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

jwindfelder commented

Hi any updates?

jcspencer commented

Hi @jwindfelder,

.NET will use the Ubuntu certificate trust store to validate that the certificate matches.

One simple way to test whether the certificate is trusted is to run:

curl -vvv https://<your_access_manager_ip>/api

If you notice that this command outputs a certificate trust error, it indicates that the certificate is trusted in the OS certificate store.

If the certificate on your AMS server is signed by an internal CA, you will need to import the corresponding CA certificate into the OS trust store.

From the Ubuntu documentation:

To install a certificate in the trust store it must be in PEM form. A PEM-formatted certificate is human-readable in base64 format, and starts with the lines ----BEGIN CERTIFICATE----. If you see these lines, you’re ready to install. If not, it is most likely a DER certificate and needs to be converted.

Assuming a PEM-formatted root CA certificate is in local-ca.crt, follow the steps below to install it.

Note: It is important to have the .crt extension on the file, otherwise it will not be processed.

$ sudo apt-get install -y ca-certificates
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

Let us know if this fixes your issue!

jwindfelder commented

I just installed the .crt file in PEM format. When I make a request to the server with CURL I get a good response (see below). However when I try to reconfigure the AMS agent it throws the same SSL error.

image

jcspencer commented

Hi @jwindfelder, that's very strange!

If you look at the certificate in the browser, are there any intermediate certificates in the path?

You may need to import the intermediate certificate into the store too. It seems .NET is unable to validate the full chain.

Let me know if this changes the agent's response - in the meantime I will investigate whether this is something we can change in the agent itself.

Cheers

jwindfelder commented

Looks like there is no other cert.
image

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

ryannewington commented

@jwindfelder was this a self-signed certificate generated via PowerShell?

jwindfelder commented
ryannewington commented

@jwindfelder the AMS doesn't provide a mechanism to generate certificates.

The reason I ask is that self signed certificates generated from PowerShell are known to have issues being added to the trust store on Linux. They are missing an attribute needed to be recognised as a CA cert.

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.