ufven / cepces Goto Github PK
View Code? Open in Web Editor NEWThis project forked from opensuse/cepces
cepces is an application for enrolling certificates through CEP and CES.
License: GNU General Public License v3.0
cepces's People
Contributors
Stargazers
Watchers
cepces's Issues
Package in Fedora/EPEL
This looks like a great tool, and would be more widely available if it's built in Fedora and EPEL. Would you consider packaging it? I see you already have a COPR, so likely you've already done most of the work.
SELinux issues on CentOS 6
avc: denied { add_name } for pid=<pid> comm="python3" name="cepces.log" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
avc: denied { create } for pid=<pid> comm="python3" name="cepces.log" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
avc: denied { execute } for pid=<pid> comm="python3" name="ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { execute_no_trans } for pid=<pid> comm="python3" path="/sbin/ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { module_request } for pid=<pid> comm="python3" kmod="net-pf-10" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
avc: denied { read open } for pid=<pid> comm="python3" name="ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { write } for pid=<pid> comm="python3" name="cepces" dev=/var/log/cepces ino=/var/log/cepces scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
the /var/log/cepces issue can be fixed by restorecon -vR /var/log/cepces -- does it make sense to do that in the RPM %post scriptlet?
audit2allow output:
#============= certmonger_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow certmonger_t kernel_t:system module_request;
allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# dirsrv_config_t, cepces_log_t, var_lib_t, var_run_t, certmonger_var_lib_t, certmonger_var_run_t, cert_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t
allow certmonger_t var_log_t:dir { write add_name };
allow certmonger_t var_log_t:file create;
FIPS mode failure on CentOS 8
I get the below error in fips mode on CentOS 8.1. If I disable fips mode by removing the /etc/system-fips file, things work fine. On CentOS 7, there is no error with fips mode.
2020-04-14 12:48:13,963 __main__:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 62, in main
service = Service(config)
File "/usr/lib/python3.6/site-packages/cepces/core.py", line 90, in __init__
self._policies = self._xcep.get_policies()
File "/usr/lib/python3.6/site-packages/cepces/xcep/service.py", line 52, in get_policies
response = self.send(envelope)
File "/usr/lib/python3.6/site-packages/cepces/soap/service.py", line 90, in send
req.raise_for_status()
File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://ca01.example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
RFE: Support auto-enrollment via Port 135 RPC
Windows (and other solutions like Centrify) use AD port 135 to auto-enroll in AD certificates. Would it be feasible to add that feature here? The problem w/ CEP is that it requires the Active Directory admins to install and enable an additional service, which the security folks seem to get nervous about.
add RPM spec to repo
Would be good to be able to open PRs against the RPM spec for fixes that need to go there.
Maintainer inactive since May 27, 2020
I've forked cepces here: https://github.com/openSUSE/cepces
Daniel has been inactive since last May. I've merged a couple of the open pull requests in my fork.
@ufven if you come back, we could work on merging things back in here.
RuntimeError: No suitable key found in keytab.
I get 3-4 of these each time I boot
2020-05-19 17:43:25,014 __main__:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 61, in main
config = Configuration.load()
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 131, in load
return Configuration.from_parser(config)
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 169, in from_parser
return Configuration(endpoint, endpoint_type, cas, authn.handle())
File "/usr/lib64/python3.6/site-packages/cepces/auth.py", line 94, in handle
raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.
How to log better here(I don't do python)?
Specifying CES endpoints direcly?
Our Win2008 CA does not have CEP configured. Would it be possible to have config entries
for specifying CES directly?
PKCS7Converter is undefined
PKCS7Converter is imported but not defined, switching to StringConverter fixes
cepces not renewing certs?
I am getting report about expired cert:
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
status: NEED_CA
stuck: yes
key pair storage: type=FILE,location='/etc/machine.key'
certificate: type=FILE,location='/etc/machine.crt'
issuer: CN=x.com,DC=x,DC=com
subject: CN=xxx.yyy.com
expires: 2020-09-05 12:06:22 CEST
dns: xxx.yyy.com
key usage: digitalSignature,keyEncipherment
eku: id-kp-clientAuth,id-kp-serverAuth
certificate template/profile: Machine
profile: Machine
pre-save command:
post-save command:
track: yes
auto-renew: yes
certmonger is running and I can request a new cert by deleting the old one:
getcert request -w -v -M 644 -c cepces -T Machine -I MachineCertificate -u digitalSignature -u keyEncipherment -k /etc/machine.key -f /etc/machine.crt
EE certificate key too weak
Any way one can configure cepces to override SSLs weak cert handlind:
Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 66, in main
result = operation()
File "/usr/lib/python3.8/site-packages/cepces/certmonger/operation.py", line 112, in __call__
result = service.request(
File "/usr/lib/python3.8/site-packages/cepces/core.py", line 212, in request
return self._request_ces(csr)
File "/usr/lib/python3.8/site-packages/cepces/core.py", line 167, in _request_ces
response = self._ces.request(csr_raw)
File "/usr/lib/python3.8/site-packages/cepces/wstep/service.py", line 96, in request
response = self.send(envelope)
File "/usr/lib/python3.8/site-packages/cepces/soap/service.py", line 80, in send
req = requests.post(url=self._endpoint,
File "/usr/lib/python3.8/site-packages/requests/api.py", line 119, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='x.y.z', port=443): Max retries exceeded with url: /x-y-z_CES_Kerberos/service.svc/CES (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1147)')))
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.