| 2024-06-26 13:10:11 |
Gabriel Nagy |
description |
NDES role should not be mandatory in order to perform certificate auto-enrollment with adsys.
Samba/ADSys is able to take advantage of the NDES endpoint to install the root certificate chain, but is also able to infer the certificate information from LDAP.
Due to a bug in the Samba implementation of cert-autoenroll, the root cert is not parsed properly if the NDES component is not installed -- so in the current state attempting auto-enrollment without NDES installed will result in an error like the following:
2024-01-08 16:11:07.809|[W26775]| Failed to fetch the root certificate chain. | {}
2024-01-08 16:11:07.809|[W05621]| The Network Device Enrollment Service is either not installed or not configured. | {}
2024-01-08 16:11:07.809|[W11946]| Installing the server certificate only. | {}
Traceback (most recent call last):
File "<string>", line 142, in <module>
File "<string>", line 89, in main
File "<string>", line 20, in enroll
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 502, in __enroll
self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 369, in apply
data = applier_func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 274, in cert_enroll
root_certs = getca(ca, url, trust_dir)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 221, in getca
cert = load_der_x509_certificate(ca['cACertificate'],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528, in load_der_x509_certificate
return rust_x509.load_der_x509_certificate(data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'data': 'str' object cannot be converted to 'PyBytes' |
This bug is not being verified individually because of the use of the SRU exception process (LP: #2059756)
-----
NDES role should not be mandatory in order to perform certificate auto-enrollment with adsys.
Samba/ADSys is able to take advantage of the NDES endpoint to install the root certificate chain, but is also able to infer the certificate information from LDAP.
Due to a bug in the Samba implementation of cert-autoenroll, the root cert is not parsed properly if the NDES component is not installed -- so in the current state attempting auto-enrollment without NDES installed will result in an error like the following:
2024-01-08 16:11:07.809|[W26775]| Failed to fetch the root certificate chain. | {}
2024-01-08 16:11:07.809|[W05621]| The Network Device Enrollment Service is either not installed or not configured. | {}
2024-01-08 16:11:07.809|[W11946]| Installing the server certificate only. | {}
Traceback (most recent call last):
File "<string>", line 142, in <module>
File "<string>", line 89, in main
File "<string>", line 20, in enroll
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 502, in __enroll
self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 369, in apply
data = applier_func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 274, in cert_enroll
root_certs = getca(ca, url, trust_dir)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 221, in getca
cert = load_der_x509_certificate(ca['cACertificate'],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528, in load_der_x509_certificate
return rust_x509.load_der_x509_certificate(data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'data': 'str' object cannot be converted to 'PyBytes' |
|
