← Back to team overview

freeipa team mailing list archive

[Bug 2007685] [NEW] Can't Validate CA Certifcates

 

Public bug reported:

I have a puppet script that issues 802.1x certificates for networking,
this process works fine on previous versions of Ubuntu LTS. However when
the same process runs on 20.04, it reports an issue verifying the
signature on the server to do with the CA.

Usually, the root and ca certs are added with getcert add-scep-ca, I
then run getcert list-cas which shows the ca are present. No error seen
at this point.

When I run my getcert request command to get the key pair, it only
managed to create the client.key. When I run getcert list, I get the
following:

Number of certificates and requests being tracked: 1.
Request ID '20230214151328':
    status: CA_UNREACHABLE
    ca-error: Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error
    stuck: no
    key pair storage: type=FILE,location='/etc/ssl/private/802/client.key',pin set
    certificate: type=FILE,location='/etc/ssl/private/802/client.pem'
    signing request thumbprint (MD5): F966FE33 9776517E 9E12C712 244780FF
    signing request thumbprint (SHA1): 7D0099AE B85C6CBB E5910E2B 98A52D9A BC347A5C
    CA: lboro-ca
    issuer:
    subject:
    issued: unknown
    expires: unknown
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

Bernard pointed out some dbus changes in the Ubuntu 22.04 version could
have been an isuse. These seem to reference org.fedorahosted.certmonger
which doesn't seem Ubuntu centric.
https://answers.launchpad.net/ubuntu/+source/certmonger/+question/705044

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: certmonger 0.79.14+git20211010-2ubuntu1
ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74
Uname: Linux 5.15.0-58-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
Date: Fri Feb 17 12:20:40 2023
InstallationDate: Installed on 2023-02-08 (9 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: certmonger
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.apport: [modified]
mtime.conffile..etc.default.apport: 2023-02-08T12:50:10.445988

** Affects: certmonger (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to certmonger in Ubuntu.
https://bugs.launchpad.net/bugs/2007685

Title:
  Can't Validate CA Certifcates

Status in certmonger package in Ubuntu:
  New

Bug description:
  I have a puppet script that issues 802.1x certificates for networking,
  this process works fine on previous versions of Ubuntu LTS. However
  when the same process runs on 20.04, it reports an issue verifying the
  signature on the server to do with the CA.

  Usually, the root and ca certs are added with getcert add-scep-ca, I
  then run getcert list-cas which shows the ca are present. No error
  seen at this point.

  When I run my getcert request command to get the key pair, it only
  managed to create the client.key. When I run getcert list, I get the
  following:

  Number of certificates and requests being tracked: 1.
  Request ID '20230214151328':
      status: CA_UNREACHABLE
      ca-error: Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error
      stuck: no
      key pair storage: type=FILE,location='/etc/ssl/private/802/client.key',pin set
      certificate: type=FILE,location='/etc/ssl/private/802/client.pem'
      signing request thumbprint (MD5): F966FE33 9776517E 9E12C712 244780FF
      signing request thumbprint (SHA1): 7D0099AE B85C6CBB E5910E2B 98A52D9A BC347A5C
      CA: lboro-ca
      issuer:
      subject:
      issued: unknown
      expires: unknown
      pre-save command:
      post-save command:
      track: yes
      auto-renew: yes

  Bernard pointed out some dbus changes in the Ubuntu 22.04 version
  could have been an isuse. These seem to reference
  org.fedorahosted.certmonger which doesn't seem Ubuntu centric.
  https://answers.launchpad.net/ubuntu/+source/certmonger/+question/705044

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: certmonger 0.79.14+git20211010-2ubuntu1
  ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74
  Uname: Linux 5.15.0-58-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  Date: Fri Feb 17 12:20:40 2023
  InstallationDate: Installed on 2023-02-08 (9 days ago)
  InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: certmonger
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.apport: [modified]
  mtime.conffile..etc.default.apport: 2023-02-08T12:50:10.445988

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2007685/+subscriptions



Follow ups