opensuse / cepces Goto Github PK

View Code? Open in Web Editor NEW

29.0 8.0 21.0 187 KB

cepces is an application for enrolling certificates through CEP and CES.

License: GNU General Public License v3.0

Python 99.90% Makefile 0.10%

cepces's Introduction

CEP/CES Certificate Enrollment

cepces is an application for enrolling certificates through CEP and CES. It requires certmonger to operate.

Only simple deployments using Microsoft Active Directory Certificate Services have been tested.

For more up-to-date information and further documentation, please visit the project's home page at: https://github.com/openSUSE/cepces

Requirements

This application uses two SOAP endpoints over HTTPS provided by Microsoft Active Directory Certificate Services. Currently, only Kerberos authentication is supported. Therefore, the client has to be a Windows Domain Member with a valid Kerberos keytab.

cepces is implemented in Python and requires at least Python 3.4 in order to run, with all the required dependencies.

Installation

cepces is currently supported on any system (well, not really) with:

Python 3.4 or later
Python dependencies specified in requirements.txt
certmonger

If available, it is recommended to use a repository for installing the application and all dependencies. Please consult the project's wiki for more information on what distributions are supported and have repositories provided.

Download and unpack a release tarball and issue these commands from within the extracted directory:

# pip3 install -r requirements.txt
# python3 setup.py install

Configuration

Once installed, there is a configuration file that needs to be modified in order for the certificate enrollment to function properly, possibly along with some external modifications of system configuration files.

The configuration file should be available in the /etc/cepces directory, possibly with a ".dist" extension. If that is the case drop the ".dist" extension by either copying (or renaming) the file (i.e. cepces.conf.dist should be named cepces.conf).

Alternatively, some configuration options can be specified from the command line when adding a CA to certmonger. For example:

getcert add-ca -c CA-name -e '/usr/libexec/certmonger/cepces-submit --server=ca-dns-name.suse.de --keytab=/etc/krb5.keytab [email protected]'

cepces.conf

This is the main configuration file. It is fairly small and only requires two settings to be changed (server or endpoint, and cas).

endpoint should be set to the CEP endpoint, whereas cas should point to a directory containing all CA certificates in your chain (if the version of the python-requests package is recent enough), or preferably a bundle file containing all CA certificates in the chain.

Usage

certmonger should have a CA already configured after the packages were installed:

# getcert list-cas
...
CA 'cepces':
   is-default: no
   ca-type: EXTERNAL
   helper-location: /usr/libexec/certmonger/cepces-submit

Use this CA configuration as with any other. Please consult the official certmonger documentation for instructions.

Example: Requesting a Machine Certificate

If the current workstation is entitled to enroll "Workstation certificates" from a CA (with the identifier Machine), use the following command to issue and track a new certificate:

# getcert request -c cepces -T Machine -I MachineCertificate -k /etc/pki/tls/private/machine.key -f /etc/pki/tls/certs/machine.crt
New signing request "MachineCertificate" added.

The certificate should now be submitted to the CA. Verify the progress with:

# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
        status: SUBMITTING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/machine.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/machine.crt'
        CA: cepces
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

After a few moments when the CA has successfully processed the request, the certificate should be issued and monitored by certmonger:

# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/machine.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/machine.crt'
        CA: cepces
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

cepces's People

Contributors

Stargazers

Watchers

cepces's Issues

Wiki and documentation update/expansion

Summary: Can I please request an update to the wiki/documentation and some assistance?

For the last few days I've been trying to setup and document a test environment to test cepces and have been running into issues.

When trying to refer to the wiki documentation it seems to be quite out of date.
e.g.:

The wiki mentions a file that doesn't exist anymore (cepces-submit.conf.dist) and doesn't mention the logging.conf.dist file.
Best practise for pip3 usage is now python3 -m pip xxx
Python requirements have changed
Updates for RHEL 8/9, Ubuntu 18/20/22.
The scenarios page is missing.
Only tested against Windows Server 2012.

I've drafted a build instruction which covers:

Building 3x Windows Server 2022 VMs
** Configuring the first as an Active Directory Domain Controller
** Configuring the second as a CA
** Configuring the third as a member server, to test CEP from Windows
Building a RHEL 8 server VM
** Joining to AD
** Installing certmonger, cepces and all requirements
** Configuring cepces

Unfortunately my instruction is incomplete. The Windows side seems to be 95% as Windows cert enrollment clients are working, however certificate requests on RHEL 8 are failing with a 401 "unauthorized for url" error when pointing to the CA CEP_kerberos endpoint. I'm at a loss as to how to proceed.

I think my document would form a great basis for your missing wiki "Scenarios" page, if it can be finished. Is there anyone who would be willing to help me fix & finalise my configuration and adapt the documentation I have written so that it is suitable for this wiki?

Certmonger issues after adding ca

Output from certmonger service in Ubuntu 22

Dec 07 21:50:50 selt20809 certmonger[22025]:     raise RuntimeError(
Dec 07 21:50:50 selt20809 certmonger[22025]: RuntimeError: Missing "global/endpoint" variable in configuration.
Dec 07 21:50:55 selt20809 certmonger[22258]: Traceback (most recent call last):
Dec 07 21:50:55 selt20809 certmonger[22258]:   File "/home/pge/cepces/bin/cepces-submit", line 64, in main
Dec 07 21:50:55 selt20809 certmonger[22258]:     config = Configuration.load(global_overrides=global_overrides,
Dec 07 21:50:55 selt20809 certmonger[22258]:   File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 156, in load
Dec 07 21:50:55 selt20809 certmonger[22258]:     return Configuration.from_parser(config)
Dec 07 21:50:55 selt20809 certmonger[22258]:   File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 170, in from_p>
Dec 07 21:50:55 selt20809 certmonger[22258]:     raise RuntimeError(
Dec 07 21:50:55 selt20809 certmonger[22258]: RuntimeError: Missing "global/endpoint" variable in configuration.

Error with --principals CA parameter

Following setup instructions in the cepces project's readme.rst I add a cepces-ca like this:
getcert add-ca -c cepces-ca -e '/usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab [email protected]'

This then shows up under getcert:

CA 'cepces-ca':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab [email protected]

However when I try to generate a cert request it fails:

Oct 31 14:21:23 vm1 certmonger[1936]: 2022-10-31 14:21:23,777 __main__:ERROR:Traceback (most recent call last):
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/libexec/certmonger/cepces-submit", line 64, in main
Oct 31 14:21:23 vm1 certmonger[1936]:    krb5_overrides=krb5_overrides)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib/python3.6/site-packages/cepces/config.py", line 144, in load
Oct 31 14:21:23 vm1 certmonger[1936]:    config['kerberos'][key] = val
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 1238, in __setitem__
Oct 31 14:21:23 vm1 certmonger[1936]:    return self._parser.set(self._name, key, value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 1193, in set
Oct 31 14:21:23 vm1 certmonger[1936]:    super().set(section, option, value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 894, in set
Oct 31 14:21:23 vm1 certmonger[1936]:    value)
Oct 31 14:21:23 vm1 certmonger[1936]:  File "/usr/lib64/python3.6/configparser.py", line 463, in before_set
Oct 31 14:21:23 vm1 certmonger[1936]:    "position %d" % (value, tmp_value.find('$')))
Oct 31 14:21:23 vm1 certmonger[1936]: ValueError: invalid interpolation syntax in '[email protected]' at position 3

For reference the keytab is like this:

[root@vm1 log]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 27/10/22 15:48:51 [email protected]
   2 27/10/22 15:48:51 [email protected]
   2 27/10/22 15:48:51 host/[email protected]
   2 27/10/22 15:48:51 host/[email protected]
   2 27/10/22 15:48:51 host/[email protected]
   2 27/10/22 15:48:51 host/[email protected]
   2 27/10/22 15:48:51 RestrictedKrbHost/[email protected]
   2 27/10/22 15:48:51 RestrictedKrbHost/[email protected]
   2 27/10/22 15:48:51 RestrictedKrbHost/[email protected]
   2 27/10/22 15:48:51 RestrictedKrbHost/[email protected]

If I add the CA without the --principals option, I do not get this error.

This is on a RHEL 8.6 system, running cepces 0.3.5-6.el8.noarch

AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

journalctl -u certmonger output:

Sep 17 16:33:49 server1.domain1.local certmonger[37970]: 2024-09-17 16:33:49,102 __main__:ERROR:Traceback (most recent call last):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/libexec/certmonger/cepces-submit", line 72, in main
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     result = operation()
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 254, in __call__
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     certs = list(self._service.certificate_chain or [])
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 161, in certificate_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     return reversed(self._resolve_chain(data))
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                     ^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 325, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     parent = self._resolve_chain(r.text, cert)
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 295, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     elif self._verify_certificate_signature(child, cert):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

Environment:

OS:                     Ubuntu 24.04.1 LTS
Python:                 3.12.3
python3-cepces:         0.3.7-0ubuntu1
python3-cryptography:   41.0.7-4ubuntu0.1

Cryptography deprecated _RSAPublicKey.verifier method in release 2.0 and removed it in release 37 pr changelog in favor of .verify, which also requires an additional parameter.

We managed to workaround with this patch:

diff --git a/cepces/core.py b/cepces/core.py
index d642f09..a54aeaa 100644
--- a/cepces/core.py
+++ b/cepces/core.py
@@ -243,25 +243,23 @@ class Service(Base):
         """
         sig_hash_alg = cert.signature_hash_algorithm
         sig_bytes = cert.signature
+        sig_data = cert.tbs_certificate_bytes
         issuer_public_key = issuer.public_key()
 
         # Check the type of public key
         if isinstance(issuer_public_key, rsa.RSAPublicKey):
-            verifier = issuer_public_key.verifier(
-                sig_bytes, padding.PKCS1v15(), sig_hash_alg,
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, padding.PKCS1v15(), sig_hash_alg,
             )
         elif isinstance(issuer_public_key, ec.EllipticCurvePublicKey):
-            verifier = issuer_public_key.verifier(
-                sig_bytes, ec.ECDSA(sig_hash_alg),
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, ec.ECDSA(sig_hash_alg),
             )
         else:
-            verifier = issuer_public_key.verifier(
-                sig_bytes, sig_hash_alg,
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, sig_hash_alg,
             )
 
-        verifier.update(cert.tbs_certificate_bytes)
-        verifier.verify()
-
         return True
 
     def _resolve_chain(self, data, child=None):

CA_UNCONFIGURED for templates requiring approval

If I submit a request with template that requires approval, it ends being stuck in state CA_UNCONFIGURED.
Everything is OK for requests with automatic templates.

cepces.log:

2022-05-23 15:48:48,816 main:ERROR:Traceback (most recent call last):
File "/usr/lib/libexec/certmonger/cepces-submit", line 69, in main
result = operation()
File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 136, in call
self._config.poll_interval,
AttributeError: 'Submit' object has no attribute '_config'

It is obviously linked to #5

list index out of range - ForestTrust

Hi,

We tried to implement CEPCES in a multi Forest setup, where the cert requestor is located in domain A and the CEP/CES Server in domain B.

For windows clients, everything is working fine. When setting up CEPCES on Linux, we get:

2022-03-21 10:46:30,270 cepces.certmonger.operation.FetchRoots<0x7f95246490>:DEBUG:Initializing cepces.certmonger.operation.FetchRoots<0x7f95246490>.
2022-03-21 10:46:30,278 __main__:ERROR:Traceback (most recent call last):
  File "/usr/local/libexec/certmonger/cepces-submit", line 69, in main
    result = operation()
  File "/usr/local/lib/python3.9/dist-packages/cepces-0.3.4-py3.9.egg/cepces/certmonger/operation.py", line 254, in __call__
    certs = list(self._service.certificate_chain or [])
  File "/usr/local/lib/python3.9/dist-packages/cepces-0.3.4-py3.9.egg/cepces/core.py", line 159, in certificate_chain
    data = self._policies.cas[index].certificate
  File "/usr/local/lib/python3.9/dist-packages/cepces-0.3.4-py3.9.egg/cepces/xml/binding.py", line 269, in __getitem__
    return self._list[key]
IndexError: list index out of range

When we join the cert requestor to the same domain as the CEP/CES Server, everything works fine.

certmonger version 0.79.13
sssd version 2.4.1

Regards

Invalid cepces.conf content

Attempting to generate a certificate request with the following command results in an error.

# getcert request -c cescep-ca -w -v -M 644 -T Machine -I $(hostname) -k /root/computer.key -f /root/computer.crt
New signing request "hostname_removed" added.
State NEWLY_ADDED_READING_KEYINFO, stuck: no.
State GENERATING_KEY_PAIR, stuck: no.
State NEED_KEY_GEN_PERMS, stuck: yes.

Error found in /var/log/messages

<TIME> <HOST>certmonger[<PID>]: <TIME> cepces.config.Configuration:DEBUG:Initializing application configuration.
<TIME> <HOST>certmonger[<PID>]: <TIME> cepces.config.Configuration:DEBUG:Reading: /etc/cepces/cepces.conf
<TIME> <HOST>certmonger[<PID>]: <TIME> __main__:ERROR:Traceback (most recent call last):
<TIME> <HOST>certmonger[<PID>]:  File "/usr/local/libexec/certmonger/cepces-submit", line 64, in main
<TIME> <HOST>certmonger[<PID>]:    krb5_overrides=krb5_overrides)
<TIME> <HOST>certmonger[<PID>]:  File "/usr/lib/python3.6/site-packages/cepces/config.py", line 141, in load
<TIME> <HOST>certmonger[<PID>]:    config['global'][key] = val
<TIME> <HOST>certmonger[<PID>]:  File "/usr/lib64/python3.6/configparser.py", line 1237, in __setitem__
<TIME> <HOST>certmonger[<PID>]:    self._parser._validate_value_types(option=key, value=value)
<TIME> <HOST>certmonger[<PID>]:  File "/usr/lib64/python3.6/configparser.py", line 1177, in _validate_value_types
<TIME> <HOST>certmonger[<PID>]:    raise TypeError("option values must be strings")
<TIME> <HOST>certmonger[<PID>]: TypeError: option values must be strings

Environment:

RHEL 8.6
-- SELinux was disabled as a troubleshooting step
Certmonger 0.79.13-5 (from EPEL 8 RPM)
Cepces 0.3.5-6 (from EPEL 8 RPM)

Certmonger configuration file has not been modified from default.
Cepces CA was created with:
getcert add-ca -c cescep-ca -e '/usr/local/libexec/certmonger/cepces-submit --server=${PKI_SERVER} --keytab=/etc/krb5.keytab'

Entry looks valid:

# getcert list-cas
...
CA 'cescep-ca':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/local/libexec/certmonger/cepces-submit --server=<pki server fully qualified hostname, lowercase> --keytab=/etc/krb5.keytab

/etc/cepces/cepces.conf file was created like this:

mkdir -p /etc/cepces
cp /usr/local/etc/cepces/cepces.conf.dist /etc/cepces/cepces.conf
sed -i "s/server=.*/server=${PKI_SERVER}/" /etc/cepces/cepces.conf
sed -i "s/^#realm=.*/realm=${DOMAIN^^}/" /etc/cepces/cepces.conf

/etc/cepces/cepces.conf contents (minus comments:

[global]
server=<pki server fully qualified hostname, lowercase>
type=Policy
auth=Kerberos
endpoint=https://${server}/ADPolicyProvider_CEP_${auth}/service.svc/CEP
poll_interval=3600

[kerberos]
realm=<fully qualified domain name, uppercase>
ccache=True

principals=
  ${shortname}$$
  ${SHORTNAME}$$
  host/${SHORTNAME}
  host/${fqdn}

enctypes=
  des-cbc-crc
  des-cbc-md5
  arcfour-hmac
  aes128-cts-hmac-sha1-96
  aes256-cts-hmac-sha1-96

[certificate]

Am I doing something wrong, or is this a bug?

Cepces status: CA_UNCONFIGURED

We have installed and configured cepces/certmonger but after run command request certificate it got error CA_UNCONFIGURED

Command: sudo getcert request -c cepces-ca -w -v -M 644 -T Machine -I Computer -k computer.key -f computer.crt

Anyone can help me plz

Thanks,

question about auth Username/Password method

Hi,

I would like to use cepces to get and track certificates with cepces. Os - mainly rocky. As far I see, there is the option in auth to use UsernamePassword as auth moethod, but in description: not supported. Have you tested it, can it work oor the config element is only placeholder yet?

Thank you very much and have a nice day.

tabatip

RuntimeError: No suitable key found in keytab.

Moving ufven#11 to here:
I get 3-4 of these each time I boot

2020-05-19 17:43:25,014 main:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 61, in main
config = Configuration.load()
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 131, in load
return Configuration.from_parser(config)
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 169, in from_parser
return Configuration(endpoint, endpoint_type, cas, authn.handle())
File "/usr/lib64/python3.6/site-packages/cepces/auth.py", line 94, in handle
raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.

Error is raised when there is no network yet.
Should it really do that or just wait a bit and then try again ?

setup.py install not respecting prefix

Following this change setup.py install results in bin/cepces-submit being copied to build/bdist.linux-x86_64/egg/libexec/certmonger rather than the intended /usr/local/libexec/certmonger regardless of what prefix I specify. What am I doing wrong?

Modifying the data_files variable path within setup.py to include "/usr/local" works as it did before of course but I'd like to know the intended use of user-definable prefixes.

I've attempted:

python3 setup.py install --prefix=/usr/local
setup.cfg defining the prefix

Test system(s):
Ubuntu 20.04.5 LTS

delegate=True

In commit ec43940
delegate=True is hardcoded. I wonder if that sensible choice for everyone?
Perhaps a config knob instead?

updating copr/PPA repositories / wiki references

The wiki for this project still mentions installation via ufven named repositories despite the project being now managed via openSUSE
dnf copr enable ufven/cepces
add-apt-repository ppa:ufven/cepces

Ideally these should be updated to be openSUSE/cepces and the wiki documentation updated as well

As a separate question is there a plan for a 0.3.5 release would love to have a release for #5
and replaced token with requested_token

Multiple enrollment servers not tried

I'm setting up cepces against an MS PKI environment with 2 intermediate CAs, and have a 2 node failover cluster with a CEP instance and 2 CES instances (one for each intermediate CA).
Both the CES URLs are published to the msPKI-Enrollment-Servers attribute in AD.

This is all being done to ensure that CEPCES still functions if a CA is down or under maintenance. I have test, and I'm able turn my initial intermediate CA off and everything still works from a Windows client (using CEP).

However I've found that the cepces client on linux (from this repo) only tries the first CES URL that gets returned from CEP.
I turned on debug logs for the cepces client using the logging.conf and I see in the responses from CEP which has details for both my CES instances get returned, but there doesn't appear to be any attempt to make use of the second one.

Is it possible to get cepces to retry the request using the next CES URL when an error is encountered? - this would add much more resilience to the whole setup.

Ansible role

Hi, I don't know where the best place is to make aware of this and if there is an interest for this, but I created an ansible role to deploy cepces along with the requirements and to create a machine certificate. Right now only Ubuntu 22.04 is tested.

https://github.com/c-erb/ansible-role-cepces

getcert request ... -D does not work

I want to add multiple Subject Alt DNS names to the cert and added several -D to the request:

getcert request -w -v  -c cepces -T Machine -I MachineCertificate -k /etc/apache2/ssl/my.key -f -k /etc/apache2/ssl/my.crt -D myname1.mydomain.com -D myname2.mydomain.com ...

None if these extra names were added to the cert.

Certmonger SELinux issues with /var/log/cepces

Fresh test system built today (RHEL 8.6)

Installed certmonger, cepces, cepces-selinux, cepces-certmonger packages all from EPEL8.
Start certmonger service and see a large number of SELinux denials like this:

# ausearch -m avc -ts today
----
node=vm1.test.local type=PROCTITLE msg=audit(1666851329.447:180): proctitle=<LARGE GUID>
node=vm1.test.local type=PATH msg=audit(1666851329.447:180): item=0 name="/var/log/cepces/" inode=100971704 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=vm1.test.local type=CWD msg=audit(1666851329.447:180): cwd="/"
node=vm1.test.local type=SYSCALL msg=audit(1666851329.447:180): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f5b2776e7d0 a2=80441 a3=1b6 items=1 ppid=1326 pid=1596 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python3" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:certmonger_t:s0 key=(null)
node=vm1.test.local type=AVC msg=audit(1666851329.447:180): avc:  denied  { write } for  pid=1596 comm="python3" name="cepces" dev="dm-0" ino=100971704 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
----

The above message appears 16 times
No cepces.log file is written, however if SELinux is disabled and Certmonger restarted the logfile appears

This seems like it may be a rule that is missing from the cepces-selinux package?

cepces.conf.dist: server should be pointed to actual CEP host

Currently cepces.conf.dist look like:

[global]
# Hostname of the issuing certification authority. This is an optional setting
# and is only used to construct the URL to the Policy Provider endpoint.
#
# Default: ca
server=ca

The default ca will not work unless you configure it in /etc/hosts.

Traceback when using ca:

Jun 14 16:35:02 host.example.com certmonger[134817]: During handling of the above exception, another exception occurred:
Jun 14 16:35:02 host.example.com certmonger[134817]: Traceback (most recent call last):
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/libexec/certmonger/cepces-submit", line 65, in main
Jun 14 16:35:02 host.example.com certmonger[134817]:     service = Service(config)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/cepces/core.py", line 90, in __init__
Jun 14 16:35:02 host.example.com certmonger[134817]:     self._policies = self._xcep.get_policies()
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/cepces/xcep/service.py", line 52, in get_policies
Jun 14 16:35:02 host.example.com certmonger[134817]:     response = self.send(envelope)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/cepces/soap/service.py", line 87, in send
Jun 14 16:35:02 host.example.com certmonger[134817]:     auth=self._auth.transport)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/requests/api.py", line 116, in post
Jun 14 16:35:02 host.example.com certmonger[134817]:     return request('post', url, data=data, json=json, **kwargs)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/requests/api.py", line 60, in request
Jun 14 16:35:02 host.example.com certmonger[134817]:     return session.request(method=method, url=url, **kwargs)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
Jun 14 16:35:02 host.example.com certmonger[134817]:     resp = self.send(prep, **send_kwargs)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
Jun 14 16:35:02 host.example.com certmonger[134817]:     r = adapter.send(request, **kwargs)
Jun 14 16:35:02 host.example.com certmonger[134817]:   File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 516, in send
Jun 14 16:35:02 host.example.com certmonger[134817]:     raise ConnectionError(e, request=request)
Jun 14 16:35:02 host.example.com certmonger[134817]: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='ca', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4a416a1a20>: Failed to establish a new connection: [Errno -2] Name or service not known',))

I suggest the following change:

# Hostname of the Certificate Enrollment Policy (CEP) Server.
# Used to construct the URL to the CEP endpoint.
#
# Default: ca
server=ca

AttributeError: 'NoneType' object has no attribute 'token'

Certificate requests fail with the following error:

2024-05-22 15:49:06,402 cepces.certmonger.operation.Submit<0x735f7d9dd690>:DEBUG:Result is: None
2024-05-22 15:49:06,403 __main__:ERROR:Traceback (most recent call last):
  File "/usr/local/libexec/certmonger/cepces-submit", line 72, in main
    result = operation()
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.9-py3.10.egg/cepces/certmonger/operation.py", line 125, in __call__
    if result.token:
AttributeError: 'NoneType' object has no attribute 'token'

/etc/cepces/cepces.conf

[global]
server=server
type=Policy
auth=Kerberos
endpoint=https://${server}/ADPolicyProvider_CEP_${auth}/service.svc/CEP
cas=/etc/ssl/certs/
poll_interval=3600
openssl_seclevel=1
[kerberos]
keytab=/etc/krb5.keytab
realm=REALM
ccache=True
principals=
  ${SHORTNAME}$$
  host/${SHORTNAME}$$
  host/${fqdn}$$
  #${shortname}$$
enctypes=
  aes128-cts-hmac-sha1-96
  aes256-cts-hmac-sha1-96
delegate=True
[certificate]
certfile = "/path/to/cert.crt"
keyfile = "/path/to/key.crl"

OS: Ubuntu 22.04
Python 3.10.12

Possible to not use NDES?

Hi David!

First thanks for all your work enabling Certificate Auto Enrollment for Linux!

I have been discussing the setup of certmonger/cepces with my customer's PKI team and they had some reservations regarding cepces using NDES. Is it cepces that uses NDES or Samba? I am not sure here :-).

According to my PKI colleague NDES is no longer considered secure and they will not allow me to use it.
They did not give me any specific reason why not to use NDES, but maybe it is the SHA1 issue. That should be possible to mitigate.

NDES is listed as a requirement on the Windows Server side in the ADSys documentation (Canonical) that uses certmonger/cepces in a similar way that samba-gpupdate does.
https://github.com/ubuntu/adsys/wiki/11.-Certificate-autoenrollment .

And watching the presentation "sambaXP 2022: Certificate Auto Enrollment in Samba" you talk about moving away from NDES and using LDAP to fetch the root chain instead. 09:48-10:32, 11:50-11.60, 14.06-14.17.
https://www.youtube.com/watch?v=-79I1Sgwxt4

What are the current options of not using NDES?
That would make my customer's PKI team happy and much easier for me to implement a more secure solution for my customer.

Thanks,
Gustav

cepces with certmonger --session parameter

Hi,

cepces v0.3.7
Ubuntu 22.04 LTS
I'm trying to request domain user certificates using cepces.
I successfuly added computer to domain, build, compile and install cepces on Ubuntu and can request Machine certificate with cepces using --system bus.
I wonder if it is possible for actual cepces version to use user kerberos ccache to obtain domain user certificates via CEP/CES in user d-bus session. Or use machine account to obtain domain user certificate on behalf of user. Maybe this is easy to implement?
I'm open to any suggestions with reconfiguring AD domain / Linux client to make it work somehow.
cepces.conf

[global]
server=cepces.vmware.loc
type=Policy
auth=Kerberos

endpoint=https://${server}/ADPolicyProvider_CEP_${auth}/service.svc/CEP
cas=/etc/ssl/certs/ca-certificates.crt
poll_interval=3600
openssl_seclevel=1
keytab=/etc/krb5.keytab

# Default: <not defined>
#realm=

# Default: True
ccache=False

# Default: <empty list>
principals=
  ${shortname}$$
  ${SHORTNAME}$$
  host/${SHORTNAME}
  host/${fqdn}

# Default: <not defined>
enctypes=
  des-cbc-crc
  des-cbc-md5
  arcfour-hmac
  aes128-cts-hmac-sha1-96
  aes256-cts-hmac-sha1-96

# Default: True
delegate=True

[certificate]
# Default: <not defined>
#certfile = /path/to/openssl-certfile.pem

# Default: <not defined>
#keyfile = /path/to/openssl-keyfile.pem

My ticket

Ticket cache: FILE:/tmp/krb5cc_XXXXXXXXX_6VeKpC
Default principal: [email protected]

Valid starting       Expires              Service principal
17.03.2023 09:51:40  17.03.2023 19:51:40  krbtgt/[email protected]
	renew until 18.03.2023 09:51:40

Keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 [email protected]
   2 [email protected]
   2 [email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 RestrictedKrbHost/[email protected]
   2 RestrictedKrbHost/[email protected]
   2 RestrictedKrbHost/[email protected]
   2 RestrictedKrbHost/[email protected]
   2 RestrictedKrbHost/[email protected]
   2 RestrictedKrbHost/[email protected]

When I try to run command like
getcert request --session -c cepces -w -v -M 644 -T User -I User -k $HOME/user.key -f $HOME/user.crt
I got

2023-03-17 09:44:14,006 __main__:ERROR:Traceback (most recent call last):
  File "/usr/lib/certmonger/cepces-submit", line 64, in main
    config = Configuration.load(global_overrides=global_overrides,
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 156, in load
    return Configuration.from_parser(config)
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 196, in from_parser
    return Configuration(endpoint, endpoint_type, cas, authn.handle(), poll_interval, openssl_seclevel)
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/auth.py", line 100, in handle
    raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.

No suitable Keytab error

I'm trying to enroll certificates for linux client from cep/ces windows ca.
when I perform a certificate request I get this output:

Number of certificates and requests being tracked: 1.

Request ID 'routercrt':
status: CA_UNCONFIGURED
stuck: yes
key pair storage: type=FILE,location='/certs/machine.key'
certificate: type=FILE,location='/certs/machine.crt'
CA: cepces
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

File "/usr/local/lib/python3.8/dist-packages/cepces-0.3.4-py3.8.egg/cepces/config.py", line 140, in load
return Configuration.from_parser(config)
File "/usr/local/lib/python3.8/dist-packages/cepces-0.3.4-py3.8.egg/cepces/config.py", line 178, in from_parser
return Configuration(endpoint, endpoint_type, cas, authn.handle())
File "/usr/local/lib/python3.8/dist-packages/cepces-0.3.4-py3.8.egg/cepces/auth.py", line 93, in handle
raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.

any help please?