Ubuntu
adsys package

Cannot perform certificate auto-enroll without NDES installed

Bug #2051363 reported by Gabriel Nagy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adsys (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

NDES role should not be mandatory in order to perform certificate auto-enrollment with adsys.

Samba/ADSys is able to take advantage of the NDES endpoint to install the root certificate chain, but is also able to infer the certificate information from LDAP.

Due to a bug in the Samba implementation of cert-autoenroll, the root cert is not parsed properly if the NDES component is not installed -- so in the current state attempting auto-enrollment without NDES installed will result in an error like the following:

2024-01-08 16:11:07.809|[W26775]| Failed to fetch the root certificate chain. | {}
2024-01-08 16:11:07.809|[W05621]| The Network Device Enrollment Service is either not installed or not configured. | {}
2024-01-08 16:11:07.809|[W11946]| Installing the server certificate only. | {}
Traceback (most recent call last):
  File "<string>", line 142, in <module>
  File "<string>", line 89, in main
  File "<string>", line 20, in enroll
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 502, in __enroll
    self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 369, in apply
    data = applier_func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 274, in cert_enroll
    root_certs = getca(ca, url, trust_dir)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 221, in getca
    cert = load_der_x509_certificate(ca['cACertificate'],
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528, in load_der_x509_certificate
    return rust_x509.load_der_x509_certificate(data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'data': 'str' object cannot be converted to 'PyBytes'

Gabriel Nagy (gabuscus)
Changed in adsys (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.13.3

---------------
adsys (0.13.3) noble; urgency=medium

  * Fix cert auto-enroll without NDES (LP: #2051363)
  * Refresh policy definition files (remove Lunar support)
  * CI and quality of life changes not impacting package functionality:
    - Bump github actions to latest:
      - actions/download-artifact
      - actions/setup-go
      - actions/upload-artifact
  * Update dependencies to latest:
    - github.com/charmbracelet/bubbles
    - github.com/charmbracelet/bubbletea
    - github.com/google/uuid
    - github.com/spf13/viper
    - golang.org/x/crypto
    - golang.org/x/net
    - golang.org/x/sync
    - golang.org/x/sys
    - google.golang.org/grpc
    - google.golang.org/protobuf

 -- Gabriel Nagy <email address hidden> Fri, 26 Jan 2024 13:57:46 +0200

Changed in adsys (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

SRU information missing from the description

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.