Project

General

Profile

Tâche #30881

Scénario #31228: Validation des scénario 'cadoles' (49-51)

Valider le scénario Les certificats de Samba sont des certificats non géré (sprint 43-45)

Added by Fabrice Barconnière 11 months ago. Updated 9 months ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Start date:
10/19/2020
Due date:
% Done:

100%

Remaining (hours):
0.0

Related issues

Related to EOLE AD DC - Scénario #24151: Les certificats de Samba sont des certificats non géré Terminé (Sprint) 10/20/2020 11/06/2020

History

#1 Updated by Fabrice Barconnière 11 months ago

  • Related to Scénario #24151: Les certificats de Samba sont des certificats non géré added

#2 Updated by Daniel Dehennin 11 months ago

  • Status changed from Nouveau to En cours
  • Assigned To set to Daniel Dehennin

#3 Updated by Daniel Dehennin 11 months ago

Une fois le serveur instancié, c’est bien le certificat autosigné du serveur qui est mis en place :

root@scribe:~# openssl s_client -connect addc.domscribe.ac-test.fr:636 -showcerts
CONNECTED(00000003)
depth=1 C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = CA-scribe.domscribe.ac-test.fr
verify return:1
depth=0 C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = scribe.domscribe.ac-test.fr
verify return:1
---
Certificate chain
 0 s:C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = scribe.domscribe.ac-test.fr
   i:C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = CA-scribe.domscribe.ac-test.fr
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIEX6z1EjANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC
RlIxLzAtBgNVBAoTJk1pbmlzdGVyZSBFZHVjYXRpb24gTmF0aW9uYWxlIChNRU5F
U1IpMRQwEgYDVQQLEwsxMTAgMDQzIDAxNTEQMA4GA1UECxMHYWMtdGVzdDEnMCUG
A1UEAxMeQ0Etc2NyaWJlLmRvbXNjcmliZS5hYy10ZXN0LmZyMB4XDTIwMTExMjA4
NDEzMVoXDTIzMTExMzA4NDEzMVowgYwxCzAJBgNVBAYTAkZSMS8wLQYDVQQKEyZN
aW5pc3RlcmUgRWR1Y2F0aW9uIE5hdGlvbmFsZSAoTUVORVNSKTEUMBIGA1UECxML
MTEwIDA0MyAwMTUxEDAOBgNVBAsTB2FjLXRlc3QxJDAiBgNVBAMTG3NjcmliZS5k
b21zY3JpYmUuYWMtdGVzdC5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALr5L048Sik5Zxt6AKa1hViSt6hpekk/aA28CDxzzh/A1+Wss5Zh2oTPTfcL
53Odgr21LeQd8MSInazmG2nHtdnXrxCxtgoFPUt7hdqunAIyyzuV39Jw/sXRDc9S
JYjoUqBZoxBpSF0tCgh7BE/6+JZLgO8R+dwDrKTH4JoRocpK0dTTfwaA1EOX+dYe
uFOzYlsFh7wBZz4SN+64VrQZBDXu67qR8jGj1g/MSCH1KBQ0tZtEaB3kJ8s+IJbg
E+WuHjoCfUDIdyL4BkiISd3/gpxBzSIqIetimDiYr8/2xy+SBQ0OdfQj4udOcs73
IkfRbfqylQlrCHNxtpfMV3H0dq8CAwEAAaOBuDCBtTAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4
QgEBBAQDAgZAMBAGCWCGSAGG+EIBDQQDFgEgMFcGA1UdEQRQME6CFGRvbXNjcmli
ZS5hYy10ZXN0LmZyghtzY3JpYmUuZG9tc2NyaWJlLmFjLXRlc3QuZnKCGWFkZGMu
ZG9tc2NyaWJlLmFjLXRlc3QuZnIwDQYJKoZIhvcNAQELBQADggEBAD9ee96uuwnC
1zqXTuGwSMCdvGsTUB4lUetLlfuctAqbFxU3mHowAikfOkr9wLEc3aYD3DmiLaZs
td8dtWySOnyxslm4ERkTnnB3IO0kNUI5tuSGRwo7Z0iPv746SpbrG05IPWtX9DCf
r0SH36d3awIYl8TjU8rIIg8lrEfmr0w1To00+xD+6b5H7eZlNIoZnc/wK2F3S6Oa
TN0RJhBd72+hdm8zJVxaG9L/9yVb1RLL8h9jQ1hEWCuknScPTu3pJ9YOlnXcptIF
WFk7TMWnZsHdOiI3nIKcaZUOsKuNakOnULJ0p9y6WcZodWGsL4Q/KrpsYp+UXcwa
nPx0UXP4O0U=
-----END CERTIFICATE-----
---
Server certificate
subject=C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = scribe.domscribe.ac-test.fr

issuer=C = FR, O = Ministere Education Nationale (MENESR), OU = 110 043 015, OU = ac-test, CN = CA-scribe.domscribe.ac-test.fr

#4 Updated by Daniel Dehennin 11 months ago

  • % Done changed from 0 to 90

En contournant le bug Let's Encrypt (#31002), j’obtiens 2 choses :

Une erreur de posttemplate

root@eole-lab2:~# bash -x /usr/share/eole/posttemplate/01-ad_certificates reconfigure
+ . /usr/lib/eole/eolead.sh
++ CONTAINER_NAME=addc
++ CONTAINER_IP=192.0.2.2
++ CONTAINER_ROOTFS=/var/lib/lxc/addc/rootfs
++ CreoleGet ad_local
+ '[' oui = oui ']'
++ CreoleGet server_cert
+ SERVER_CERT_PATH=/etc/ssl/certs/eole.crt
+ SAMBA_CERT_FOLDER=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/
+ echo '#-*- coding: utf-8 -*-
import os
from creole.cert import get_intermediate_certs, concat_fic

chain = get_intermediate_certs("/etc/ssl/certs/eole.crt")
if chain:
    concat_fic("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem", chain)
elif os.path.isfile("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem"):
    os.unlink("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem")
'
+ [[ -f /etc/ssl/certs/eole.crt ]]
+ python3 /tmp/samba_cert_chain.py
+ rm -f /tmp/samba_cert_chain.py
+ CreoleCat -t smb-addc.conf
+ InstallSambaSSLFiles
+ cert_dir=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls
+ '[' '!' -d /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls ']'
+ chmod 0755 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls
++ CreoleGet server_key
+ server_key=/etc/ssl/private/eole.key
+ dest_cert_file=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ dest_privkey_file=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ cp /etc/ssl/certs/eole.crt /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ chmod 0644 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ cp /etc/ssl/private/eole.key /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ chmod 0600 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ echo '#-*- coding: utf-8-*-
from creole.cert import get_certs_chain
ca_root = get_certs_chain(["/etc/ssl/certs/eole.crt",])[-1]
print(ca_root)
'
++ python3 /tmp/get_ca_root.py
Traceback (most recent call last):
  File "/tmp/get_ca_root.py", line 3, in <module>
    ca_root = get_certs_chain(["/etc/ssl/certs/eole.crt",])[-1]
  File "/usr/lib/python3/dist-packages/creole/cert.py", line 186, in get_certs_chain
    subject = get_subject(certfile=certs[-1])
  File "/usr/lib/python3/dist-packages/creole/cert.py", line 564, in get_subject
    return regexp_get_subject.findall(ret)[0]
IndexError: list index out of range
+ CA_PATH=
+ rm -f /tmp/get_ca_root.py
+ keytool -delete -alias eole-ad -keystore /etc/ssl/certs/java/cacerts -storepass changeit
+ keytool -import -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -alias eole-ad -file
L'option de commande -file requiert un argument.
keytool -importcert [OPTION]...

Importe un certificat ou une chaîne de certificat

Options :

 -noprompt                       ne pas inviter
 -trustcacerts                   certificats sécurisés issus de certificats CA
 -protected                      mot de passe via mécanisme protégé
 -alias <alias>                  nom d'alias de l'entrée à traiter
 -file <filename>                nom du fichier d'entrée
 -keypass <arg>                  mot de passe de la clé
 -keystore <keystore>            nom du fichier de clés
 -storepass <arg>                mot de passe du fichier de clés
 -storetype <storetype>          type du fichier de clés
 -providername <providername>    nom du fournisseur
 -providerclass <providerclass>  nom de la classe de fournisseur
 -providerarg <arg>              argument du fournisseur
 -providerpath <pathlist>        variable d'environnement CLASSPATH du fournisseur
 -v                              sortie en mode verbose

Utiliser "keytool -help" pour toutes les commandes disponibles
+ exit 0

Le certificat utilisé par samba est bien celui de Let's Encrypt

root@eole-lab2:~# openssl s_client -connect addc.baby-gnu.net:636 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = eole-lab2.baby-gnu.net
verify return:1
---
Certificate chain
 0 s:CN = eole-lab2.baby-gnu.net
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFYzCCBEugAwIBAgISA1Nk+gYJTV2OXkd8zOslJFk/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMTIwODQ5MjFaFw0y
MTAyMTAwODQ5MjFaMCExHzAdBgNVBAMTFmVvbGUtbGFiMi5iYWJ5LWdudS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQF0+wKiukvEQMrKOgSSuu
/TEYLLdOufGMx8gnRP+syh+haPqVbXUD4WytX/URXam4xJEhK1GEZFqoHxti98RS
Buj5bOO+JCt9qjBvEgTYicD9qa08bYeKGRGBO9rjPhIYmjsnR2LjyyCRQrnkRVeQ
RUu0GQSv2bPtXk4gpTAuk/ktiBvfaYwrbA8cAoWHpnmyBpRP2vQ9VbrGOT53fYXv
WPmB2Zaqe3vhIAmYhppCZouGua8AhBk3pGGgujdjwa5EHeN05lISt6SIqikAFeMH
WEltNAZhfLnCIl1zZMemYRuFAIjn7sYjJAH9r6XHAxgt3KecWsWtxon/l54ULT69
AgMBAAGjggJqMIICZjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNm26u3/vgiOBGqM
QduGmKMV1rL1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wIQYDVR0RBBowGIIWZW9sZS1sYWIyLmJhYnktZ251Lm5ldDBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQE
gfEA7wB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABdbvcCksA
AAQDAEcwRQIgQZYUKstik0GMzCnOsw2MTxB9VweSj5N/ZsmhlDYuwW8CIQDY03TR
UtAeop9NJR0a8Mmd5yIAm3BgekJF8jhr22x8PAB1AH0+8viP/4hVaCTCwMqeUol5
K8UOeAl/LmqXaJl+IvDXAAABdbvcCokAAAQDAEYwRAIgHpmNA7U+0Cz2aObvjg9T
pF50+vYiokKRst1dlahiT+ACIGtEzhxWhZl81OW7aEVLD9Xn82bzW7NhoCTTMTeU
rIvNMA0GCSqGSIb3DQEBCwUAA4IBAQAicSDckQizPLWsP2TRKs4f7d3hvcVFprwa
8p6fS5WsiXlAG2DOPbunhA1YUNIUc1qYsHfGedUXYVexf3qGJWDW289PfZtSQvbI
btlXbi2V1J4M2kLABq68EMXoTUir3Dq+QonjxlM3Y/wTNJgO/Roh6ICHSwuyno4R
GlhoNyJzNv3izzkRYYFBjRSPfyitAGqZ3rCsfT9gJ55M0zBNoJIQJNPV+1TxOM4t
wy2iDHSr7WnHUCndbvew4VOxSwLpg7VclyE6bZgM/jUbLVSvNtAtjd/I9KDOcgWH
YrGYeqQcmF/rUXf74TzNNc5Oh/P1d4s2ezf1lnnnwetD+iMTrO+P
-----END CERTIFICATE-----
---
Server certificate
subject=CN = eole-lab2.baby-gnu.net

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

#5 Updated by Gilles Grandgérard 10 months ago

  • Parent task changed from #30866 to #31228

#6 Updated by Joël Cuissinat 10 months ago

  • Subject changed from Valider le scénario Les certificats de Samba sont des certificats non géré to Valider le scénario Les certificats de Samba sont des certificats non géré (sprint 43-45)

#7 Updated by Daniel Dehennin 9 months ago

  • Status changed from En cours to Résolu
  • % Done changed from 90 to 100

Cela fonctionne dans le cas général, nous verrons le cas Let's Encrypt si des utilisateurs tentent de l’utiliser avec Scribe.

#8 Updated by Daniel Dehennin 9 months ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) set to 0.0

Also available in: Atom PDF