Kerberos on version 0.35 #190
Comments
|
Can you please describe your deplyoment mode (rpm, deb, container) and share your
You can also share the files via email to [email protected] Kerberos authentication works fine for both mscertsrv and mswcce hanlder during my regular regression, so I suspect a configuration issue combined with lack of proper error logging. |
|
We run the program on openshift, [Nonce] disable nonce check. THIS IS A SEVERE SECURTIY ISSUE! Please do only for testing/debugging purposesnonce_check_disable: False [CAhandler] CA specific options... [DBhandler] [Certificate] [Challenge] when true disable challenge validation. Challenge will be set to 'valid' without further checkingTHIS IS A SEVERE SECURTIY ISSUE! Please do only for testing/debugging purposeschallenge_validation_disable: False [Order] krb5.conf: Trying to connect to endpoint: ncacn_np:IP Resolved dynamic endpoint '' to ncacn_ip_tcp:IP Trying to connect to endpoint: ncacn_ip_tcp:IP .... Order.parse() returns: {... "Retry-After": 600, "status": processing, ...... "code": 200} IP /acme/order/.../finalize {... "Retry-After": 600, "status": processing, ...... "code": 200} About the templates, when we use the --useragent flag but we execute a command to enroll without the flag, we would like the certificate to be enrolled by the default option written in acme_srv.cfg. however the mswcce_ca_handler.py script gets the header_info and takes the last used template there. a command without the --useragent flag does not add a request to the header_info dictionary, so the template that is used eventually is the last enrolled certificate's template. we want the certificate without the --useragent flag to be enrolled using the template in acme_srv.cfg. Can you think of the right way to do that? |
|
Hi, What means "running on Openshift"? Are you running one of the prepared containers or do you build your own container? I see that you are using the mswcce_ca_handler handler. do you have target_domain: <domain name>
domain_controller: <ip address of domain controller>parameters configured in your The template issue is interesting. It should work as you expected. Can you please share a complete log from an enrollment attempt using the wrong template via email? |
|
I tried to replicate issue you reported in multiple environments without success. Nevertheless, it sounds serious, hence we should not ignore it. I extended the wcce_ca_handler.py by an option to log the enrollment parameters. When using it you would see something like this A new image is already avaialble at dockerhub
Logging of the enrollment parameters must be enablabled in Can you please try the replicate the issue by using this image and share logs? Thx |
Hi, we are experiencing some trouble while trying to use kerberos, we get the error: KDC_ERR_S_PRINCIPAL_UNKNOWN(server not found in kerberos database). we tried creating our own keytab and connecting to our CA with it - it was successful - however, we cannot find a way to make it work within the code itself, and we keep getting the same error.
Without kerberos, we manage to enroll certificates successfully.
Do you have an idea on how to make the kerberos work?
Additionally, we want to configure a defualt template, so that when the acme.sh command does not include the --useragent flag, the certificate will be enrolled by the template in the acme_srv.cfg. we see that if we remove the flag, the certificate is being enrolled by the last used template. is there a way to change it?
thanks in advance.
The text was updated successfully, but these errors were encountered: