certmonger - libcrypto issues with openssl3

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package certmonger - 0.79.16-1

---------------
certmonger (0.79.16-1) unstable; urgency=medium

  * New upstream release. (LP: #1987276)

 -- Timo Aaltonen <email address hidden> Fri, 26 Aug 2022 09:42:54 +0300

Hi all. I tested the new version on 22.04 - it works, but there is a set of dependencies that are only available on 22.10 (Kinetic) at the moment.

sudo dpkg -i certmonger_0.79.16-1_amd64.deb
(Reading database ... 227504 files and directories currently installed.)
Preparing to unpack certmonger_0.79.16-1_amd64.deb ...
Unpacking certmonger (0.79.16-1) over (0.79.16-1) ...
dpkg: dependency problems prevent configuration of certmonger:
 certmonger depends on libjansson4 (>= 2.14); however:
  Version of libjansson4:amd64 on system is 2.13.1-1.1build3.
 certmonger depends on nss-plugin-pem; however:
  Package nss-plugin-pem is not installed.

Current Jammy version of Libjansson4 is 2.13.1-1.1build3

Looking at certmonger ubuntu changelogs, I see

 %changelog
+* Thu Aug 25 2022 Rob Crittenden <email address hidden> - 0.79.16-1
+- update to 0.79.16
+ - Add a PEM validity checker and validate SCEP CA files
+ - Fix implicit declaration of function ‘PEM_read_bio_X509’
+ - Don't include "NEW" in certificate signing requests
+ - Verify that the AES-128 is used for encrypting the local CA
+ - Replace DER-encoded test file with a base64-encoded one
+ - Correct a bad date in the spec changelog
+ - Switch to https URLs for Sources, etc.
+ - Remove dependency on SHA-1
+ - tests: Test that the CA constraint DER encoding is correct
+ - Disable DSA in the RPM spec
+ - Manually build the srpm for the copr CI
+ - Require jansson >= 2.12
+ - Mark the current directory as a safe git directory
+ - Fix usage of PKCS#7 ASN1 attribute retrieval for SCEP keygen *** this was reported by us
+ - Translated using Weblate (Chinese (Simplified) (zh_CN))
+ - Translated using Weblate (Georgian)
+ - Translated using Weblate (Indonesian)
+ - Translated using Weblate (Chinese (Simplified) (zh_CN))
+ - Translated using Weblate (Hungarian)

So I am not sure why the changelog requires only 2.12 and on my test is asking for libjansson4 (>= 2.14) - could you clarify that for me?

You can't just pull a package from kinetic and expect it to work as-is. The kinetic deb was built against libjansson 2.14-2. You'd need to rebuild certmonger from kinetic on jammy to allow it to install with jammy dependencies.

sorry, make that lunar, where 0.79.16-1 is from

Thanks - is there any plans to ship the new package with the bugfix to the Jammy repo?

okay, finally got around to doing that.. please add a comment if I wrote silly things in the SRU header :)

Hello Diego, or anyone else affected,

Accepted certmonger into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/certmonger/0.79.14+git20211010-2ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Diego, please verify the fix works

This bug is awaiting verification for a long time now, could someone affected please perform the verification from the test plan?

Sorry for my delay I somehow lost track of it.

I will test this over the next few days and let you know

D

On Thu 19 Oct 2023, 11:34 Andreas Hasenack, <email address hidden>
wrote:

> This bug is awaiting verification for a long time now, could someone
> affected please perform the verification from the test plan?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1987276
>
> Title:
> certmonger - libcrypto issues with openssl3
>
> Status in certmonger package in Ubuntu:
> Fix Released
> Status in certmonger source package in Jammy:
> Fix Committed
>
> Bug description:
> [Impact]
>
> Requesting SCEP certificates crashes certmonger when it's built with
> OpenSSL 3, and it needs a patch backported to fix this.
>
> [Test case]
>
> Check that the SCEP requests succeed without the daemon crashing.
>
>
> [Where things could go wrong]
>
> This patch has been upstream for several months now, and this part of
> certmonger hasn't seen any additional commits since, so it's safe to
> say that adding this shouldn't regress things.
>
>
> --
>
> I just want to let you know that this bug is still present from 22.04
> onwards (anything that uses libssl3 as default) - bug is being tracked
> in https://pagure.io/certmonger/issue/244 - I already tested the patch
> provided and it works, but I would love to see an updated package on
> the official repository.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions
>
>

Diego, how did it go?

I have managed to install the proposed version on this link:
https://launchpad.net/ubuntu/jammy/amd64/certmonger/0.79.14+git20211010-2ubuntu1.1

Unfortunately, this is still suffering some issues when creating certs:

Mar 7 15:27:07 lnx-test-3 certmonger[35411]: 2024-03-07 15:27:07 [35411] Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error
Mar 7 15:27:15 lnx-test-3 kernel: [ 6712.749399] audit: type=1400 audit(1709825235.952:3267): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/35585/cmdline" pid=32369 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 7 15:28:01 lnx-test-3 scep-submit: Message failed verification.
Mar 7 15:28:01 lnx-test-3 scep-submit: Error: failed to verify signature on server response.#012
....
# Cert info
....
Mar 7 15:28:01 lnx-test-3 scep-submit: error:10800075:PKCS7 routines::certificate verify error
....
# More cert info
....
Mar 7 15:28:01 lnx-test-3 certmonger[35411]: 2024-03-07 15:28:01 [35411] Error: failed to verify signature on server response. error:10800075:PKCS7 routines::certificate verify error