Bug 53285 - cepces: В getcert list пусто: не запрашивает и не получает сертификаты: Failed to fetch the list of supported templates
Summary: cepces: В getcert list пусто: не запрашивает и не получает сертификаты: Faile...
Status: NEW
Alias: None
Product: Sisyphus
Classification: Development
Component: cepces (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Evgeny Sinelnikov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-03 18:28 MSK by Evgeny Shesteperov
Modified: 2025-10-10 15:20 MSK (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Shesteperov 2025-03-03 18:28:55 MSK 
Версия

-   cepces-0.3.8-alt2
-   samba-4.20.7-alt1

Шаги воспроизведения

К багу прикреплён документ с более подробными шагами.

1.  Развернуть Windows AD в качестве домена.

2.  Настроить Службы сертификации

3.  Настроить автоматической регистрации сертификата сервера -
    https://learn.microsoft.com/ru-ru/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

4.  Настроить общий каталога на сервере для передачи сертификатов.

5.  Выполнить настройку сервера IIS.

6.  Выполнить настройку клиентов:

        mkdir -p /mnt/adshare && mount -v -t cifs -o user=Admin //addc.windows.testdomain/share /mnt/adshare && l /mnt/adshare
        cp /mnt/adshare/windowsad.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows
        cp /mnt/adshare/windowsad-root.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows-addc-ca -i
        apt-get install -y cepces cepces-certmonger python3-module-cepces samba-gpupdate
        mkdir -p /etc/pki/trust/anchors

7.  Настроить cepces по умолчанию:

        sed -i "s/^server=.*/server=addc.windows.testdomain/" /etc/cepces/cepces.conf && grep 'server=' /etc/cepces/cepces.conf

8.  Убедиться, что cepces зарегистрирован в certmonger на клиенте:

        # getcert list-cas -c cepces

9.  Выполнить команду:

        # samba-gpupdate --rsop

10. Запустить запрос:

        # samba-gpupdate --force && echo $?

11. Убедиться, что CA отображаемся в списке (OK):

        # getcert list-cas -c windows-ADDC-CA

12. Показать список отслеживаемых сертификатов:

        # getcert list

Ожидаемый результат: Отображает отслеживаемые сертификаты

    Number of certificates and requests being tracked: 1.
    Request ID 'windows-ADDC-CA.Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/windows-ADDC-CA.Machine.key'
        certificate: type=FILE,location='/var/cache/samba/certs/windows-ADDC-CA.Machine.crt'
        CA: windows-ADDC-CA
        issuer: CN=windows-ADDC-CA,DC=windows,DC=testdomain
        subject: CN=ieb6ahwa.windows.testdomain
        issued: 2025-03-03 18:06:44 MSK
        expires: 2026-03-03 18:06:44 MSK
        dns: ieb6ahwa.windows.testdomain
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        profile: Machine
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes

Фактический результат: Ошибка:

    Number of certificates and requests being tracked: 0.

Воспроизводится в P11.

Не воспроизводится в P10:

-   cepces-0.3.7-alt1
-   samba-4.19.9-alt4
Comment 1 Artem Varaksa 2025-09-03 12:42:01 MSK 
Воспроизводится и с samba-4.21.7-alt4.x86_64.

Дополнительно:

Если запустить `# samba-gpupdate --debuglevel=1 --force`, видны ошибки, хотя код выхода остаётся 0:

> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
> 2025-09-03 12:32:55.472|[E66544]| Failed to fetch the list of supported templates. | {'Error': '...'}

Ошибка:

> 2025-09-03 12:32:55,419 __main__:ERROR:Traceback (most recent call last):
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 787, in urlopen
>     response = self._make_request(
>                ^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 488, in _make_request
>     raise new_e
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 464, in _make_request
>     self._validate_conn(conn)
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
>     conn.connect()
>   File "/usr/lib/python3/site-packages/urllib3/connection.py", line 741, in connect
>     sock_and_verified = _ssl_wrap_socket_and_match_hostname(
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname
>     ssl_sock = ssl_wrap_socket(
>                ^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 480, in ssl_wrap_socket
>     ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 524, in _ssl_wrap_socket_impl
>     return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib64/python3.12/ssl.py", line 455, in wrap_socket
>     return self.sslsocket_class._create(
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib64/python3.12/ssl.py", line 1041, in _create
>     self.do_handshake()
>   File "/usr/lib64/python3.12/ssl.py", line 1319, in do_handshake
>     self._sslobj.do_handshake()
> ConnectionResetError: [Errno 104] Connection reset by peer
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
>   File "/usr/lib/python3/site-packages/requests/adapters.py", line 667, in send
>     resp = conn.urlopen(
>            ^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 841, in urlopen
>     retries = retries.increment(
>               ^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/retry.py", line 474, in increment
>     raise reraise(type(error), error, _stacktrace)
>           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/util.py", line 38, in reraise
>     raise value.with_traceback(tb)
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 787, in urlopen
>     response = self._make_request(
>                ^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 488, in _make_request
>     raise new_e
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 464, in _make_request
>     self._validate_conn(conn)
>   File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
>     conn.connect()
>   File "/usr/lib/python3/site-packages/urllib3/connection.py", line 741, in connect
>     sock_and_verified = _ssl_wrap_socket_and_match_hostname(
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname
>     ssl_sock = ssl_wrap_socket(
>                ^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 480, in ssl_wrap_socket
>     ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 524, in _ssl_wrap_socket_impl
>     return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib64/python3.12/ssl.py", line 455, in wrap_socket
>     return self.sslsocket_class._create(
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib64/python3.12/ssl.py", line 1041, in _create
>     self.do_handshake()
>   File "/usr/lib64/python3.12/ssl.py", line 1319, in do_handshake
>     self._sslobj.do_handshake()
> urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
>   File "/usr/libexec/certmonger/cepces-submit", line 68, in main
>     service = Service(config)
>               ^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/cepces/core.py", line 90, in __init__
>     self._policies = self._xcep.get_policies()
>                      ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/cepces/xcep/service.py", line 52, in get_policies
>     response = self.send(envelope)
>                ^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/cepces/soap/service.py", line 82, in send
>     req = requests.post(url=self._endpoint,
>           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/requests/api.py", line 115, in post
>     return request("post", url, data=data, json=json, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/requests/api.py", line 59, in request
>     return session.request(method=method, url=url, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/requests/sessions.py", line 589, in request
>     resp = self.send(prep, **send_kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/requests/sessions.py", line 703, in send
>     r = adapter.send(request, **kwargs)
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/site-packages/requests/adapters.py", line 682, in send
>     raise ConnectionError(err, request=request)
> requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

---

По https://dmulder.github.io/group-policy-book/certautoenroll.html#examining-logs

# cat /var/log/cepces/cepces.log | rg 'Caused by'

ошибки

> requests.exceptions.ConnectionError: HTTPSConnectionPool(host='ca', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f1ce1ad7440>: Failed to resolve 'ca' ([Errno -5] No address associated with hostname)"))

но количество не увеличивается при повторном запуске `samba-gpupdate`, возможно это ошибки до корректной конфигурации `/etc/cepces/cepces.conf`.

---

При ручном создании запроса по https://github.com/openSUSE/cepces/wiki/Usage запрос отображается, но "CA_UNCONFIGURED":

> Request ID 'MachineCertificate':
> 	status: CA_UNCONFIGURED
> 	stuck: yes
> 	key pair storage: type=FILE,location='/root/machine.key'
> 	certificate: type=FILE,location='/root/machine.crt'
> 	CA: windows-ADDC-CA
> 	issuer:
> 	subject:
> 	issued: unknown
> 	expires: unknown
> 	profile: Machine
> 	pre-save command:
> 	post-save command:
> 	track: yes
> 	auto-renew: yes

В Windows никаких запросов сертификатов не отображается в средстве "Центр сертификации".
Comment 2 Artem Varaksa 2025-09-03 12:43:17 MSK 
> При ручном создании запроса по https://github.com/openSUSE/cepces/wiki/Usage 

# getcert request -c windows-ADDC-CA -T Machine -I MachineCertificate -k machine.key -f machine.crt
Comment 3 Белая Алёна 2025-10-10 15:20:16 MSK 
Ошибка актуальна
samba-4.21.8-alt3
cepces-0.3.8-alt2