ca_server.get_cert() failed with error: 'NoneType' object is not subscriptable

[wioxjk]

Hi,

I am struggling to figure out what this error-message means:

ca_server.get_cert() failed with error: 'NoneType' object is not subscriptable

Everything looks fine until the connection to the CA-server.

[Fri Sep 01 09:08:39.723819 2023] [wsgi:error] [pid 94727:tid 140617699030592] Certificate._enroll_and_store(): trigger enrollment
[Fri Sep 01 09:08:39.723865 2023] [wsgi:error] [pid 94727:tid 140617699030592] CAhandler.enroll("Web Server")
[Fri Sep 01 09:08:39.723916 2023] [wsgi:error] [pid 94727:tid 140617699030592] CAhandler.request_create()
[Fri Sep 01 09:08:39.724154 2023] [wsgi:error] [pid 94727:tid 140617699030592] Trying to resolve 'srv-ca03.xxxx.se' at '127.0.0.53'
[Fri Sep 01 09:08:39.726785 2023] [wsgi:error] [pid 94727:tid 140617699030592] Trying to connect to endpoint: ncacn_np:10.2.3.4[\\pipe\\cert]
[Fri Sep 01 09:08:39.748563 2023] [wsgi:error] [pid 94727:tid 140617699030592] Connected to endpoint: ncacn_np:10.2.3.4[\\pipe\\cert]
[Fri Sep 01 09:08:39.759822 2023] [wsgi:error] [pid 94727:tid 140617699030592] CAhandler.request_create() ended
[Fri Sep 01 09:08:39.759982 2023] [wsgi:error] [pid 94727:tid 140617699030592] build_pem_file()
[Fri Sep 01 09:08:39.761321 2023] [wsgi:error] [pid 94727:tid 140617699030592] ca_server.get_cert() failed with error: 'NoneType' object is not subscriptable
[Fri Sep 01 09:08:39.761399 2023] [wsgi:error] [pid 94727:tid 140617699030592] cert bundling failed
[Fri Sep 01 09:08:39.761472 2023] [wsgi:error] [pid 94727:tid 140617699030592] Certificate.enroll() ended

I am using certbot as an acme-client, and srv-ca03.xxxx.se is an intermediate-server.

[grindsa]

which CA handler are you using? Can you please post the content of acme_srv.cfg ?

[wioxjk]

Hi!

I am using "mswcce_ca_handler" as a CA handler.
I did realize that the following error-message (ca_server.get_cert() failed with error: 'NoneType' object is not subscriptable) meant that something was missing in the acme_srv.cfg, so I doublechecked the template and corrected it. And now atleast, I am getting an error-message from the Intermediate CA-server:

[Mon Sep 04 08:48:38.444520 2023] [wsgi:error] [pid 28723:tid 140133240141376] ca_server.get_cert() failed with error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid.

[DEFAULT]
debug: true

[Nonce]
nonce_check_disable: False

[CAhandler]
# CA specific options
handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py
host: srv-ca03.domain.se
user: service-account
taget_domain: domain.se
password: ChangeMe1234
domain_controller: 192.168.2.2
ca_name: srv-ca03.domain.se\Intermediate-domain-srv-ca03
ca_bundle: /usr/share/ca-certificates/extra/internalCA.crt
auth_method: ntlm
template: WebServer_Test

[DBhandler]
#dbfile: /var/lib/acme/db.sqlite3

[Certificate]
revocation_reason_check_disable: False

[Challenge]
challenge_validation_disable: False
dns_server_list: ["192.168.2.2"]
[Order]
tnauthlist_support: False

I do realize that it is the CA-server itself that is responding with the 0x80070057 error-code, but I am not sure what's missing in the .csr that is being sent by certbot..

[grindsa]

Could it be that your CA mandates the usage of CN (Common Name)? I am asking as I know from former discussion that certbot does not set the Subject CN bcs its considered as deprecated.

[wioxjk]

Could it be that your CA mandates the usage of CN (Common Name)? I am asking as I know from former discussion that certbot does not set the Subject CN bcs its considered as deprecated.

Thanks, that may be it.
I will try with another client - do you have any recommendation of client that does that?

[grindsa]

Try acme.sh or lego. Both clients are setting a CN.

[wioxjk]

Thanks @grindsa

Do you have an example command for lego?
I seem incapable of figuring something out that does not return an error-message from the client

[grindsa]

Hi,

or Documentation includes example commands for several acme clients (including lego). Pls check there...

[wioxjk]

After some much testing, I've come to the conclusion that acme2certifier with the mswcce_ca_handler.py is not sending the password correctly with NTLM.

Setting a password like "Pass1@3@§34Pass1@3@§34" does crash the application. acme2certifier does not seems to send away the password that contains special characters

This is the error we are getting:

The computer attempted to validate the credentials for an account.

 

Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:	serviceaccount.cert
Source Workstation:	
Error Code:	0xC0000064

Is there any limitations regarding certificates?

I have tested with new password and validated that I actually can login to the CA-server.
Kerberos is disabled for the account

[grindsa]

Thank you very much. The information that you are using ntlm rings a bell in my back; I may have an idea what is going wrong. Are you using a dockerized a2c version, rpm, deb or a manual install?

[wioxjk]

Thank you very much. The information that you are using ntlm rings a bell in my back; I may have an idea what is going wrong. Are you using a dockerized a2c version, rpm, deb or a manual install?

I am using the .deb package on ubuntu 22.04 (sorry for not mentioning this in the beginning).

[grindsa]

It seems that a2c is not able to handle utf-8 encoded configuration options. I created
a deb-package containing a potential fix. Can you give it a try and let me know if this works for you?

[wioxjk]

It seems that a2c is not able to handle utf-8 encoded configuration options. I created a deb-package containing a potential fix. Can you give it a try and let me know if this works for you?

That seems to have fixed the problem with the password with UTF-8 encoded characters (like Pass1@3@§34Pass1@3@§34).

[wioxjk]

Quick question - will acme2certifier support kerberos in the future?
Considering that Microsoft announced that they will remove NTML pretty "soon".

[grindsa]

we are looking into this but this is rather a mid-term item as we are missing a good way to implement Kerberos support.

[wioxjk]

Closing this because the issues seems to be on the Windows CA-server and not acme2certifier.
I am 100% sure that the problem does not apply to the acme2certifier at all.

[grindsa]

Quick question - will acme2certifier support kerberos in the future? Considering that Microsoft announced that they will remove NTML pretty "soon".

@wioxjk: Just to keep you updated. Starting with v0.30 we do support Kerberos authentication in the mswcce_ca_handler.py. You need to enable kerberos support in acme_srv.cfg:

[CAhandler]
...
use_kerberos: True

Feel free to test. Feedback is always welcome...