ufven / cepces Goto Github PK
View Code? Open in Web Editor NEWThis project forked from opensuse/cepces
cepces is an application for enrolling certificates through CEP and CES.
License: GNU General Public License v3.0
This project forked from opensuse/cepces
cepces is an application for enrolling certificates through CEP and CES.
License: GNU General Public License v3.0
This looks like a great tool, and would be more widely available if it's built in Fedora and EPEL. Would you consider packaging it? I see you already have a COPR, so likely you've already done most of the work.
avc: denied { add_name } for pid=<pid> comm="python3" name="cepces.log" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
avc: denied { create } for pid=<pid> comm="python3" name="cepces.log" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
avc: denied { execute } for pid=<pid> comm="python3" name="ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { execute_no_trans } for pid=<pid> comm="python3" path="/sbin/ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { module_request } for pid=<pid> comm="python3" kmod="net-pf-10" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
avc: denied { read open } for pid=<pid> comm="python3" name="ldconfig" dev=/sbin/ldconfig ino=/sbin/ldconfig scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
avc: denied { write } for pid=<pid> comm="python3" name="cepces" dev=/var/log/cepces ino=/var/log/cepces scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
the /var/log/cepces
issue can be fixed by restorecon -vR /var/log/cepces
-- does it make sense to do that in the RPM %post scriptlet?
audit2allow output:
#============= certmonger_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow certmonger_t kernel_t:system module_request;
allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# dirsrv_config_t, cepces_log_t, var_lib_t, var_run_t, certmonger_var_lib_t, certmonger_var_run_t, cert_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t
allow certmonger_t var_log_t:dir { write add_name };
allow certmonger_t var_log_t:file create;
I get the below error in fips mode on CentOS 8.1. If I disable fips mode by removing the /etc/system-fips file, things work fine. On CentOS 7, there is no error with fips mode.
2020-04-14 12:48:13,963 __main__:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 62, in main
service = Service(config)
File "/usr/lib/python3.6/site-packages/cepces/core.py", line 90, in __init__
self._policies = self._xcep.get_policies()
File "/usr/lib/python3.6/site-packages/cepces/xcep/service.py", line 52, in get_policies
response = self.send(envelope)
File "/usr/lib/python3.6/site-packages/cepces/soap/service.py", line 90, in send
req.raise_for_status()
File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://ca01.example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
Windows (and other solutions like Centrify) use AD port 135 to auto-enroll in AD certificates. Would it be feasible to add that feature here? The problem w/ CEP is that it requires the Active Directory admins to install and enable an additional service, which the security folks seem to get nervous about.
Would be good to be able to open PRs against the RPM spec for fixes that need to go there.
I've forked cepces here: https://github.com/openSUSE/cepces
Daniel has been inactive since last May. I've merged a couple of the open pull requests in my fork.
@ufven if you come back, we could work on merging things back in here.
I get 3-4 of these each time I boot
2020-05-19 17:43:25,014 __main__:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 61, in main
config = Configuration.load()
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 131, in load
return Configuration.from_parser(config)
File "/usr/lib64/python3.6/site-packages/cepces/config.py", line 169, in from_parser
return Configuration(endpoint, endpoint_type, cas, authn.handle())
File "/usr/lib64/python3.6/site-packages/cepces/auth.py", line 94, in handle
raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.
How to log better here(I don't do python)?
Our Win2008 CA does not have CEP configured. Would it be possible to have config entries
for specifying CES directly?
PKCS7Converter is imported but not defined, switching to StringConverter fixes
I am getting report about expired cert:
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
status: NEED_CA
stuck: yes
key pair storage: type=FILE,location='/etc/machine.key'
certificate: type=FILE,location='/etc/machine.crt'
issuer: CN=x.com,DC=x,DC=com
subject: CN=xxx.yyy.com
expires: 2020-09-05 12:06:22 CEST
dns: xxx.yyy.com
key usage: digitalSignature,keyEncipherment
eku: id-kp-clientAuth,id-kp-serverAuth
certificate template/profile: Machine
profile: Machine
pre-save command:
post-save command:
track: yes
auto-renew: yes
certmonger is running and I can request a new cert by deleting the old one:
getcert request -w -v -M 644 -c cepces -T Machine -I MachineCertificate -u digitalSignature -u keyEncipherment -k /etc/machine.key -f /etc/machine.crt
Any way one can configure cepces to override SSLs weak cert handlind:
Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 66, in main
result = operation()
File "/usr/lib/python3.8/site-packages/cepces/certmonger/operation.py", line 112, in __call__
result = service.request(
File "/usr/lib/python3.8/site-packages/cepces/core.py", line 212, in request
return self._request_ces(csr)
File "/usr/lib/python3.8/site-packages/cepces/core.py", line 167, in _request_ces
response = self._ces.request(csr_raw)
File "/usr/lib/python3.8/site-packages/cepces/wstep/service.py", line 96, in request
response = self.send(envelope)
File "/usr/lib/python3.8/site-packages/cepces/soap/service.py", line 80, in send
req = requests.post(url=self._endpoint,
File "/usr/lib/python3.8/site-packages/requests/api.py", line 119, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='x.y.z', port=443): Max retries exceeded with url: /x-y-z_CES_Kerberos/service.svc/CES (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1147)')))
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.