** Description changed: [ Impact ] + * This prevents the AD certificate auto-entrollment from working. Certificates will not be automatically enrolled from a AD controller to an Ubuntu client machine. Errors will be logged in the journal of the attempts. * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed. * Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method. * The new API to use is _RSAPublicKey.verify, which takes one extra parameter. * Versions prior to Noble still have cryptography with the .verifier method. [ Test Plan ] I was looking for a shorter way, but apparently cepces test suite does not cover this case and testing requires a AD controler. - The issue happens occurs when following [1]. When a configured system - tries to automatically enroll certificates it fails with the following - messages: + 1. Configure a Windows AD controller to support certificate auto entrollment [1]. + 2. Connect an ubuntu client to join the AD by following (either during installation or manually). + 3. Update policies with: + sudo adsysctl update -m -v + 4. Get certificate list: + sudo getcert list + 5. Check certmonger log for issues. + 6. Install the -proposed version of python3-cepces (enable -proposed if needed [2]) + 7. Re-run steps 3 & 4. + + Expected result: + All the certificate should be auto-entrolled with no errors. + + Actual result (with affected version): + `journal -u certmonger` contains errors: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' - [1] - https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates- - autoenrolment/ + [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/#configure-the-auto-enrolment-policy + [2] https://wiki.ubuntu.com/Testing/EnableProposed [ Where problems could occur ] The fix is minimal, sourced from upstream, and has been uploaded to the devel release (plucky). The patch makes cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, but this version is not present in any of the affected series, and thus should present no danger of incompatibility. [ Other Info ] Original bug description: This bug is opened to include the upstream patch by falencastro into the Ubuntu release of python3-cepces Upstream Bug report: https://github.com/openSUSE/cepces/issues/41 python-cryptography version 37.0.0 dropped the `signer` and `verifier` methods, replacing them with `sign` and `verify` (https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700--- 2022-04-26) From upstream report: 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center OS: Ubuntu 24.04.1 LTS Python: 3.12.3 python3-cepces: 0.3.7-0ubuntu1 python3-cryptography: 41.0.7-4ubuntu0.1 3) What you expected to happen: AD enrolled systems can auto-fetch certificates from the server 4) What happened instead: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' PR with fix: https://github.com/openSUSE/cepces/pull/42
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2081751 Title: python3-cepces calling deprecated method from cryptography To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
