[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3
I have managed to install the proposed version on this link: https://launchpad.net/ubuntu/jammy/amd64/certmonger/0.79.14+git20211010-2ubuntu1.1 Unfortunately, this is still suffering some issues when creating certs: Mar 7 15:27:07 lnx-test-3 certmonger[35411]: 2024-03-07 15:27:07 [35411] Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error Mar 7 15:27:15 lnx-test-3 kernel: [ 6712.749399] audit: type=1400 audit(1709825235.952:3267): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/35585/cmdline" pid=32369 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mar 7 15:28:01 lnx-test-3 scep-submit: Message failed verification. Mar 7 15:28:01 lnx-test-3 scep-submit: Error: failed to verify signature on server response.#012 # Cert info Mar 7 15:28:01 lnx-test-3 scep-submit: error:10800075:PKCS7 routines::certificate verify error # More cert info Mar 7 15:28:01 lnx-test-3 certmonger[35411]: 2024-03-07 15:28:01 [35411] Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/1987276 Title: certmonger - libcrypto issues with openssl3 Status in certmonger package in Ubuntu: Fix Released Status in certmonger source package in Jammy: Fix Committed Bug description: [Impact] Requesting SCEP certificates crashes certmonger when it's built with OpenSSL 3, and it needs a patch backported to fix this. [Test case] Check that the SCEP requests succeed without the daemon crashing. [Where things could go wrong] This patch has been upstream for several months now, and this part of certmonger hasn't seen any additional commits since, so it's safe to say that adding this shouldn't regress things. -- I just want to let you know that this bug is still present from 22.04 onwards (anything that uses libssl3 as default) - bug is being tracked in https://pagure.io/certmonger/issue/244 - I already tested the patch provided and it works, but I would love to see an updated package on the official repository. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2007685] Re: Can't Validate CA Certificates 22.04
There looks like there has been a patch published to fix this issue... https://launchpad.net/ubuntu/+source/certmonger/0.79.14+git20211010-2ubuntu1.1 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/2007685 Title: Can't Validate CA Certificates 22.04 Status in certmonger package in Ubuntu: New Bug description: I have a puppet script that issues 802.1x certificates for networking, this process works fine on previous versions of Ubuntu LTS. However when the same process runs on 22.04, it reports an issue verifying the signature on the server to do with the CA. Usually, the root and ca certs are added with getcert add-scep-ca, I then run getcert list-cas which shows the ca are present. No error seen at this point. When I run my getcert request command to get the key pair, it only managed to create the client.key. When I run getcert list, I get the following: Number of certificates and requests being tracked: 1. Request ID '20230214151328': status: CA_UNREACHABLE ca-error: Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error stuck: no key pair storage: type=FILE,location='/etc/ssl/private/802/client.key',pin set certificate: type=FILE,location='/etc/ssl/private/802/client.pem' signing request thumbprint (MD5): F966FE33 9776517E 9E12C712 244780FF signing request thumbprint (SHA1): 7D0099AE B85C6CBB E5910E2B 98A52D9A BC347A5C CA: lboro-ca issuer: subject: issued: unknown expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Bernard pointed out some dbus changes in the Ubuntu 22.04 version could have been an isuse. These seem to reference org.fedorahosted.certmonger which doesn't seem Ubuntu centric. https://answers.launchpad.net/ubuntu/+source/certmonger/+question/705044 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: certmonger 0.79.14+git20211010-2ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 Date: Fri Feb 17 12:20:40 2023 InstallationDate: Installed on 2023-02-08 (9 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: certmonger UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.apport: [modified] mtime.conffile..etc.default.apport: 2023-02-08T12:50:10.445988 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2007685/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2007685] Re: Can't Validate CA Certificates 22.04
Is there anyone that can advise on this problem? I'm getting the impression that this is down to the more up to date libssl package. Seem to get the same reason on RHEL system too. Really struggling to find away around the issue, tried compiling certmonger from scratch but could successfully build it, even when I finally managed to get the dependencies installed. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/2007685 Title: Can't Validate CA Certificates 22.04 Status in certmonger package in Ubuntu: New Bug description: I have a puppet script that issues 802.1x certificates for networking, this process works fine on previous versions of Ubuntu LTS. However when the same process runs on 22.04, it reports an issue verifying the signature on the server to do with the CA. Usually, the root and ca certs are added with getcert add-scep-ca, I then run getcert list-cas which shows the ca are present. No error seen at this point. When I run my getcert request command to get the key pair, it only managed to create the client.key. When I run getcert list, I get the following: Number of certificates and requests being tracked: 1. Request ID '20230214151328': status: CA_UNREACHABLE ca-error: Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error stuck: no key pair storage: type=FILE,location='/etc/ssl/private/802/client.key',pin set certificate: type=FILE,location='/etc/ssl/private/802/client.pem' signing request thumbprint (MD5): F966FE33 9776517E 9E12C712 244780FF signing request thumbprint (SHA1): 7D0099AE B85C6CBB E5910E2B 98A52D9A BC347A5C CA: lboro-ca issuer: subject: issued: unknown expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Bernard pointed out some dbus changes in the Ubuntu 22.04 version could have been an isuse. These seem to reference org.fedorahosted.certmonger which doesn't seem Ubuntu centric. https://answers.launchpad.net/ubuntu/+source/certmonger/+question/705044 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: certmonger 0.79.14+git20211010-2ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 Date: Fri Feb 17 12:20:40 2023 InstallationDate: Installed on 2023-02-08 (9 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: certmonger UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.apport: [modified] mtime.conffile..etc.default.apport: 2023-02-08T12:50:10.445988 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2007685/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp