** Description changed:
+ This bug is not being verified individually because of the use of the
+ SRU exception process (LP: #2059756)
+
+ -----
+
NDES role should not be mandatory in order to perform certificate auto-
enrollment with adsys.
Samba/ADSys is able to take advantage of the NDES endpoint to install
the root certificate chain, but is also able to infer the certificate
information from LDAP.
Due to a bug in the Samba implementation of cert-autoenroll, the root
cert is not parsed properly if the NDES component is not installed -- so
in the current state attempting auto-enrollment without NDES installed
will result in an error like the following:
2024-01-08 16:11:07.809|[W26775]| Failed to fetch the root certificate chain.
| {}
2024-01-08 16:11:07.809|[W05621]| The Network Device Enrollment Service is
either not installed or not configured. | {}
2024-01-08 16:11:07.809|[W11946]| Installing the server certificate only. | {}
Traceback (most recent call last):
- File "<string>", line 142, in <module>
- File "<string>", line 89, in main
- File "<string>", line 20, in enroll
- File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 502, in __enroll
- self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
- File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 369, in apply
- data = applier_func(*args, **kwargs)
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 274, in cert_enroll
- root_certs = getca(ca, url, trust_dir)
- ^^^^^^^^^^^^^^^^^^^^^^^^^
- File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 221, in getca
- cert = load_der_x509_certificate(ca['cACertificate'],
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528,
in load_der_x509_certificate
- return rust_x509.load_der_x509_certificate(data)
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ File "<string>", line 142, in <module>
+ File "<string>", line 89, in main
+ File "<string>", line 20, in enroll
+ File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 502, in __enroll
+ self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
+ File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 369, in apply
+ data = applier_func(*args, **kwargs)
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 274, in cert_enroll
+ root_certs = getca(ca, url, trust_dir)
+ ^^^^^^^^^^^^^^^^^^^^^^^^^
+ File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py",
line 221, in getca
+ cert = load_der_x509_certificate(ca['cACertificate'],
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528,
in load_der_x509_certificate
+ return rust_x509.load_der_x509_certificate(data)
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'data': 'str' object cannot be converted to 'PyBytes'
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2051363
Title:
Cannot perform certificate auto-enroll without NDES installed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2051363/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
