Certificate auto-enrollment not working on 24.04
Opened this issue · 3 comments
Is there an existing issue for this?
- I have searched the existing issues and found none that matched mine
Describe the issue
Certificate auto-enrollment is not working on Ubuntu Noble, due to python3-cepces calling a deprecated method from cryptography.
journalctl -u certmonger
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: 2024-09-17 16:33:49,102 __main__:ERROR:Traceback (most recent call last):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/libexec/certmonger/cepces-submit", line 72, in main
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: result = operation()
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 254, in __call__
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: certs = list(self._service.certificate_chain or [])
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 161, in certificate_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: return reversed(self._resolve_chain(data))
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 325, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: parent = self._resolve_chain(r.text, cert)
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 295, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: elif self._verify_certificate_signature(child, cert):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
Env:
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
Issue upstream: openSUSE/cepces#41
LP report: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751
Steps to reproduce it
- adsysctl policy debug cert-autoenroll-script
- chmod +x ./cert-autoenroll
- export PYTHONPATH=/usr/share/adsys/python
- export KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname)
- ./cert-autoenroll enroll server1 domain1.local --debug
Ubuntu users: System information
No response
Non Ubuntu users: System information
No response
Additional information
No response
Double check your logs
- I have redacted any sensitive information from the logs
thanks @falencastro for reporting this bug, isolating the issue and fixing it upstream!
It seems we need to then backport this patch to python-cepces package against ubuntu on launchpad (https://launchpad.net/ubuntu/+source/python-cepces)? That will help us starting the Stable Release Upgrade process to backport the fix to 24.04 and oracular. You can link it here then and we will ensure this gets in.
Thanks again for the report and you digging into it!
I opened a case with Canonical support and they created a lp for it: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751
Thx!
Thanks a lot! We are looking why our end to end tests, which are running on noble and testing certificates didn’t catch it. Thanks again for the report. I’m keeping it opened to track that the cepces part is going under way in ubuntu.