Netflix
Trying to connect to ADCS keep getting RSASSA-PSS not supported
New to Lemur - we were able to get connected to Let's Encrypt but keep hitting a wall with our ADCS environment. We rebuilt the internal CA's per Lemur documentation recommendations we found but feel like we're missing something simple. Any help with this would be great! Thx.
@jjason63 Hello, could you please describe the error in more detail and/or paste the logs from this error? Actually this seems no problem with the plugin itself, but with the kind of private key you're using. Lemur does not support this kind of signature algorithm (at the moment?).
Hi @sirferl - I work with @jjason63. We upload the cert information into conf.py. Specifially updating the: ADCS_SERVER, ADCS_AUTH_METHOD, ADCS_USER, ADCS_PWD, ADCS_TEMPLATE, and ADCS_ROOT. We then proceed trying to add the Certificate Authority and populate the fields. Click create and we get an error: "Was not created! RSASSA-PSS not supported"
from logs:RSASSA-PSS not supported
Traceback (most recent call last):
File "/www/lemur/lemur/common/schema.py", line 160, in decorated_function
resp = f(*args, **kwargs)
File "/www/lemur/lemur/authorities/views.py", line 230, in post
return service.create(**data)
File "/www/lemur/lemur/authorities/service.py", line 133, in create
cert = upload(**kwargs)
File "/www/lemur/lemur/certificates/service.py", line 347, in upload
cert = Certificate(**kwargs)
File "
We can update the /www/lemur/lemur/common/utils.py, /www/lemur/lemur/common/defaults.py, and /www/lemur/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/x509.py by commenting out sections to bypass this, but obviously that's skipping the checks in place.
Do you have any documentation for ADCS setup?
@davidhoang-cbre @jjason63 hi guys, as I wrote a little earlier: It seems that Lemur cannot handle this kind of signing algorithm for certs in the core, so you will encounter problems with any plugin available. I propose you try with another one for the root certificate to confirm this. I have no idea why this kind of certificates is not supported, but the comment hints that it is rather cumbersome to implement handling this kind of certificates. I do not maintain the core functions of lemur, so maybe @hosseinsh could shed a bit light on the matter.
@sirferl we really appreciate you getting back to us on this one. We want to utilize Lemur to the fullest in our environment. It seems like a solid tool. Just hitting a few roadblocks on initial deployment. Probably just our lack of experience with it. Any guidance @hosseinsh can provide will be appreciated as well. Thx!
Hi @sirferl, thanks for checking in. We had a working session on Friday to keep attempting to connect Lemur to our ADCS CA but still no luck. We hit a few new errors that @davidhoang-cbre can upload here first thing Monday. We have rebuilt our Microsoft CA 3-4x now and tried different signing algorithms but still no luck. I'm sure we're just missing something simple over here.
Thx
Thanks @sirferl - we were able to past the errors by going with a different algorithm.
Of course, now we have different issues creating a cert. We'll create a new issue if, needed, thanks!!!
@davidhoang-cbre hello, glad to hear you got somethjing going. @jjason63 wrote about error messages. you could post them here...
sorry folks for not having noticed your messages earlier here, and thanks @sirferl for chiming in and your continuous support of the community.
@jjason63 @davidhoang-cbre; Hope you were successful in setting your new environment, documentation is certainly one of the aspects we need to get better at, and would also appreciate any contributions on that front.
With respect to adding support for RSASSA-PSS; we don't have it on our roadmap, but as usual open to any PRs from the community.
