Project

General

Profile

Tâche #31137

Scénario #24151: Les certificats de Samba sont des certificats non géré

Désactiver la copie de certificats pour Samba lorsque le serveur utilise Let's Encrypt

Added by Daniel Dehennin 10 months ago. Updated 9 months ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Start date:
11/16/2020
Due date:
% Done:

100%

Remaining (hours):
0.0

Description

Il y a une erreur avec les certificats Let's Encrypt.

De plus, si le REALM n’utilise pas un domaine DNS public, alors Let's Encrypt ne pourra jamais fournir de certificat.

Il semble très compliqué pour pas grand chose de faire générer automatiquement un certificat Let's Encrypt dédié au REALM, il faudrait donc laisser le certificat Samba dans le cas Let's Encrypt.

Une erreur de posttemplate

root@eole-lab2:~# bash -x /usr/share/eole/posttemplate/01-ad_certificates reconfigure
+ . /usr/lib/eole/eolead.sh
++ CONTAINER_NAME=addc
++ CONTAINER_IP=192.0.2.2
++ CONTAINER_ROOTFS=/var/lib/lxc/addc/rootfs
++ CreoleGet ad_local
+ '[' oui = oui ']'
++ CreoleGet server_cert
+ SERVER_CERT_PATH=/etc/ssl/certs/eole.crt
+ SAMBA_CERT_FOLDER=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/
+ echo '#-*- coding: utf-8 -*-
import os
from creole.cert import get_intermediate_certs, concat_fic

chain = get_intermediate_certs("/etc/ssl/certs/eole.crt")
if chain:
    concat_fic("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem", chain)
elif os.path.isfile("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem"):
    os.unlink("/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls//ca.pem")
'
+ [[ -f /etc/ssl/certs/eole.crt ]]
+ python3 /tmp/samba_cert_chain.py
+ rm -f /tmp/samba_cert_chain.py
+ CreoleCat -t smb-addc.conf
+ InstallSambaSSLFiles
+ cert_dir=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls
+ '[' '!' -d /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls ']'
+ chmod 0755 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls
++ CreoleGet server_key
+ server_key=/etc/ssl/private/eole.key
+ dest_cert_file=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ dest_privkey_file=/var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ cp /etc/ssl/certs/eole.crt /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ chmod 0644 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/cert.pem
+ cp /etc/ssl/private/eole.key /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ chmod 0600 /var/lib/lxc/addc/rootfs/var/lib/samba/private/tls/key.pem
+ echo '#-*- coding: utf-8-*-
from creole.cert import get_certs_chain
ca_root = get_certs_chain(["/etc/ssl/certs/eole.crt",])[-1]
print(ca_root)
'
++ python3 /tmp/get_ca_root.py
Traceback (most recent call last):
  File "/tmp/get_ca_root.py", line 3, in <module>
    ca_root = get_certs_chain(["/etc/ssl/certs/eole.crt",])[-1]
  File "/usr/lib/python3/dist-packages/creole/cert.py", line 186, in get_certs_chain
    subject = get_subject(certfile=certs[-1])
  File "/usr/lib/python3/dist-packages/creole/cert.py", line 564, in get_subject
    return regexp_get_subject.findall(ret)[0]
IndexError: list index out of range
+ CA_PATH=
+ rm -f /tmp/get_ca_root.py
+ keytool -delete -alias eole-ad -keystore /etc/ssl/certs/java/cacerts -storepass changeit
+ keytool -import -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -alias eole-ad -file
L'option de commande -file requiert un argument.
keytool -importcert [OPTION]...

Importe un certificat ou une chaîne de certificat

Options :

 -noprompt                       ne pas inviter
 -trustcacerts                   certificats sécurisés issus de certificats CA
 -protected                      mot de passe via mécanisme protégé
 -alias <alias>                  nom d'alias de l'entrée à traiter
 -file <filename>                nom du fichier d'entrée
 -keypass <arg>                  mot de passe de la clé
 -keystore <keystore>            nom du fichier de clés
 -storepass <arg>                mot de passe du fichier de clés
 -storetype <storetype>          type du fichier de clés
 -providername <providername>    nom du fournisseur
 -providerclass <providerclass>  nom de la classe de fournisseur
 -providerarg <arg>              argument du fournisseur
 -providerpath <pathlist>        variable d'environnement CLASSPATH du fournisseur
 -v                              sortie en mode verbose

Utiliser "keytool -help" pour toutes les commandes disponibles
+ exit 0

Le certificat utilisé par samba est bien celui de Let's Encrypt

root@eole-lab2:~# openssl s_client -connect addc.baby-gnu.net:636 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = eole-lab2.baby-gnu.net
verify return:1
---
Certificate chain
 0 s:CN = eole-lab2.baby-gnu.net
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFYzCCBEugAwIBAgISA1Nk+gYJTV2OXkd8zOslJFk/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMTIwODQ5MjFaFw0y
MTAyMTAwODQ5MjFaMCExHzAdBgNVBAMTFmVvbGUtbGFiMi5iYWJ5LWdudS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQF0+wKiukvEQMrKOgSSuu
/TEYLLdOufGMx8gnRP+syh+haPqVbXUD4WytX/URXam4xJEhK1GEZFqoHxti98RS
Buj5bOO+JCt9qjBvEgTYicD9qa08bYeKGRGBO9rjPhIYmjsnR2LjyyCRQrnkRVeQ
RUu0GQSv2bPtXk4gpTAuk/ktiBvfaYwrbA8cAoWHpnmyBpRP2vQ9VbrGOT53fYXv
WPmB2Zaqe3vhIAmYhppCZouGua8AhBk3pGGgujdjwa5EHeN05lISt6SIqikAFeMH
WEltNAZhfLnCIl1zZMemYRuFAIjn7sYjJAH9r6XHAxgt3KecWsWtxon/l54ULT69
AgMBAAGjggJqMIICZjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNm26u3/vgiOBGqM
QduGmKMV1rL1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wIQYDVR0RBBowGIIWZW9sZS1sYWIyLmJhYnktZ251Lm5ldDBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQE
gfEA7wB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABdbvcCksA
AAQDAEcwRQIgQZYUKstik0GMzCnOsw2MTxB9VweSj5N/ZsmhlDYuwW8CIQDY03TR
UtAeop9NJR0a8Mmd5yIAm3BgekJF8jhr22x8PAB1AH0+8viP/4hVaCTCwMqeUol5
K8UOeAl/LmqXaJl+IvDXAAABdbvcCokAAAQDAEYwRAIgHpmNA7U+0Cz2aObvjg9T
pF50+vYiokKRst1dlahiT+ACIGtEzhxWhZl81OW7aEVLD9Xn82bzW7NhoCTTMTeU
rIvNMA0GCSqGSIb3DQEBCwUAA4IBAQAicSDckQizPLWsP2TRKs4f7d3hvcVFprwa
8p6fS5WsiXlAG2DOPbunhA1YUNIUc1qYsHfGedUXYVexf3qGJWDW289PfZtSQvbI
btlXbi2V1J4M2kLABq68EMXoTUir3Dq+QonjxlM3Y/wTNJgO/Roh6ICHSwuyno4R
GlhoNyJzNv3izzkRYYFBjRSPfyitAGqZ3rCsfT9gJ55M0zBNoJIQJNPV+1TxOM4t
wy2iDHSr7WnHUCndbvew4VOxSwLpg7VclyE6bZgM/jUbLVSvNtAtjd/I9KDOcgWH
YrGYeqQcmF/rUXf74TzNNc5Oh/P1d4s2ezf1lnnnwetD+iMTrO+P
-----END CERTIFICATE-----
---
Server certificate
subject=CN = eole-lab2.baby-gnu.net

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Associated revisions

Revision 40af75df (diff)
Added by Emmanuel GARETTE 10 months ago

ne pas modifier le certificat samba en cas d'activation de Let's Encrypt (ref #31137)

Revision 9aacdc51 (diff)
Added by Emmanuel GARETTE 10 months ago

ne pas modifier le certificat samba en cas d'activation de Let's Encrypt (ref #31137)

History

#1 Updated by Benjamin Bohard 10 months ago

Point d’information complémentaire : le certificat généré par samba n’est valide que deux ans. Il ne faudra pas oublier la problématique de son renouvellement.

#2 Updated by Emmanuel GARETTE 10 months ago

  • Status changed from Nouveau to En cours

#3 Updated by Emmanuel GARETTE 10 months ago

  • Assigned To set to Emmanuel GARETTE

#4 Updated by Emmanuel GARETTE 10 months ago

  • Status changed from En cours to Résolu
  • % Done changed from 0 to 100

#5 Updated by Daniel Dehennin 9 months ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) set to 0.0

Also available in: Atom PDF