Ubuntu
certmonger package

CA Issues With getcert certmonger Issues on 22.04

Asked by Jimothy

I have a puppet script that issues 802.1x certificates for networking, this process works fine on previous versions of Ubuntu LTS. However when the same process runs on 20.04, it reports an issue verifying the signature on the server to do with the CA.

Usually, the root and ca certs are added with getcert add-scep-ca, I then run getcert list-cas which shows the ca are present.

When I run my getcert request command to get the key pair, it only managed to create the client.key. When I run getcert list, I get the following:

Number of certificates and requests being tracked: 1.
Request ID '20230214151328':
    status: CA_UNREACHABLE
    ca-error: Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error
    stuck: no
    key pair storage: type=FILE,location='/etc/ssl/private/802/client.key',pin set
    certificate: type=FILE,location='/etc/ssl/private/802/client.pem'
    signing request thumbprint (MD5): F966FE33 9776517E 9E12C712 244780FF
    signing request thumbprint (SHA1): 7D0099AE B85C6CBB E5910E2B 98A52D9A BC347A5C
    CA: lboro-ca
    issuer:
    subject:
    issued: unknown
    expires: unknown
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Any help to fix this would be great, I'm not quite sure what has changed between the LTS releases. Any pointer would be great. Thanks!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu certmonger Edit question
Assignee:
No assignee Edit question
Solved by:
Bernard Stafford
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

This may or may not have anything to do with your problem, a few changes have been made.
https://pagure.io/certmonger/c/caa4026b8b32d0bc2b8241aa0ff5cdaa0be45906?branch=master
I hope this helps.

Revision history for this message
Jimothy (jambonum5) said : 		#2

Hi Bernard, thanks for the comment. Not sure I fully understand it but I can see there are a few links to the interface "org.fedorahosted.certmonger", I'm guessing this doesn't really work well on a Ubuntu system.

Revision history for this message
Best Bernard Stafford (bernard010) said : 		#3

I suggest either opening a bug report for filing a new issue with certmonger.
https://www.pagure.io/certmonger/issues?status=Open&order_key=date_created&order=desc
https://ubuntu.com/server/docs/reporting-bugs

Revision history for this message
Jimothy (jambonum5) said : 		#4

https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2007685

Revision history for this message
Jimothy (jambonum5) said : 		#5

Thanks again for the help Bernard, reported the bug.

Revision history for this message
Jimothy (jambonum5) said : 		#6

Thanks Bernard Stafford, that solved my question.

Revision history for this message
Vigneshwaran (vignes888) said : 		#7

@Jimothy, may I know how you resolved this issue. We are also seeing similar issue Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error
and would like to understand the reason and possible solution that helped you to fix.
Thanks in advance.

Revision history for this message
Jimothy (jambonum5) said : 		#8

Hi Vigneshwaran, although it resolved my question, it didn't fix the problem.

It seems the newer SSL libraries on Ubuntu and RHEL editions don't seem to work well with certmonger.

I have the same issue on Oracle System 8 too:

error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error

I tried to compile CertMonger from source, it's poorly documented which makes it pure evil to try and compile it.

Reposted here:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2007685