Error with --principals CA parameter
adam-kosseck opened this issue · 3 comments
Following setup instructions in the cepces project's readme.rst I add a cepces-ca like this:
getcert add-ca -c cepces-ca -e '/usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$@TEST.LOCAL'
This then shows up under getcert:
CA 'cepces-ca':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$@TEST.LOCAL
However when I try to generate a cert request it fails:
Oct 31 14:21:23 vm1 certmonger[1936]: 2022-10-31 14:21:23,777 __main__:ERROR:Traceback (most recent call last):
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/libexec/certmonger/cepces-submit", line 64, in main
Oct 31 14:21:23 vm1 certmonger[1936]: krb5_overrides=krb5_overrides)
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/lib/python3.6/site-packages/cepces/config.py", line 144, in load
Oct 31 14:21:23 vm1 certmonger[1936]: config['kerberos'][key] = val
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/lib64/python3.6/configparser.py", line 1238, in __setitem__
Oct 31 14:21:23 vm1 certmonger[1936]: return self._parser.set(self._name, key, value)
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/lib64/python3.6/configparser.py", line 1193, in set
Oct 31 14:21:23 vm1 certmonger[1936]: super().set(section, option, value)
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/lib64/python3.6/configparser.py", line 894, in set
Oct 31 14:21:23 vm1 certmonger[1936]: value)
Oct 31 14:21:23 vm1 certmonger[1936]: File "/usr/lib64/python3.6/configparser.py", line 463, in before_set
Oct 31 14:21:23 vm1 certmonger[1936]: "position %d" % (value, tmp_value.find('$')))
Oct 31 14:21:23 vm1 certmonger[1936]: ValueError: invalid interpolation syntax in 'VM1$@TEST.LOCAL' at position 3
For reference the keytab is like this:
[root@vm1 log]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 27/10/22 15:48:51 VM1$@TEST.LOCAL
2 27/10/22 15:48:51 VM1$@TEST.LOCAL
2 27/10/22 15:48:51 host/VM1@TEST.LOCAL
2 27/10/22 15:48:51 host/VM1@TEST.LOCAL
2 27/10/22 15:48:51 host/vm1.test.local@TEST.LOCAL
2 27/10/22 15:48:51 host/vm1.test.local@TEST.LOCAL
2 27/10/22 15:48:51 RestrictedKrbHost/VM1@TEST.LOCAL
2 27/10/22 15:48:51 RestrictedKrbHost/VM1@TEST.LOCAL
2 27/10/22 15:48:51 RestrictedKrbHost/vm1.test.local@TEST.LOCAL
2 27/10/22 15:48:51 RestrictedKrbHost/vm1.test.local@TEST.LOCAL
If I add the CA without the --principals option, I do not get this error.
This is on a RHEL 8.6 system, running cepces 0.3.5-6.el8.noarch
Oh, it's because it's trying to do a string replace on 'principals'. The 'principals' keyword isn't supposed to be the actual principal, but a matching string. Take a look at cepces.conf:
# A list of principals to try when requesting a ticket.
#
# Default: <empty list>
principals=
${shortname}$$
${SHORTNAME}$$
host/${SHORTNAME}
host/${fqdn}
So in your example, you would want to either set --principals='host/${fqdn}', or just leave out that parameter and let it do automatic matching.
I think you can work around this by instead using '$$' in the principal name:
getcert add-ca -c cepces-ca -e '/usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab --principals=VM1$$@TEST.LOCAL'
Ok if it's a usage issue then the docs need to be updated:
- README.rst: under the configuration section
- Wiki Scenarios page: under "Configure Cepces"