acme2certifier icon indicating copy to clipboard operation
acme2certifier copied to clipboard

Published 20 hours ago verified publisher icon grindsa

get_chain() fails. Does a2c assume that MS ADCS CEWS is running on the same server as the CA?

Open christopher-ursich opened this issue 1 year ago • 3 comments

I have ADCS Certificate Enrollment Web Service (CEWS) running on a separate server than my actual ADCS CA. After my Linux client successfully completes the ACME challenge and calls finalize, acme2certifier produces this sequence of errors:

ca_server.get_chain() failed with error: 'NoneType' object has no attribute 'group'
ca_server.get_cert() failed with error: An unknown error occured
cert bundling failed
acme2certifier enrollment error: cert bundling failed

I read the code and found this line: https://github.com/grindsa/acme2certifier/blob/513e01f06401bc5df32c826286845211ed89fee9/examples/ca_handler/certsrv.py#L285 When I attempt to view the corresponding URL on my CEWS server using a browser, I get a nicely-formatted ADCS error page, stating

An unexpected error has occurred: The Certification Authority Service has not been started.

CA Service has not been started

In fact, the Certification Authority service is not even installed on this server because it is not the CA.

So my question is, Does acme2certifier require/assume that CEWS is running on the same server as the CA?

Thanks very much. Chris Ursich

christopher-ursich avatar Oct 07 '22 21:10 christopher-ursich

Hi,

we do not expect CA and CEWS server to be located on the same system. Which host did you configure in acme_srv.cfg? I am asking as you need to specify the CEWS server....

grindsa avatar Oct 11 '22 05:10 grindsa

Hi.

My acme_srv.cfg is pointed to the CEWS server.

root@7a2f2faacfae:/var/www/acme2certifier/volume# env | grep MYACME_HOST
MYACME_HOST=webca03.lab03.xxxxxxxxxxx
root@7a2f2faacfae:/var/www/acme2certifier/volume# cat acme_srv.cfg | grep MYACME_HOST
host_variable: MYACME_HOST

christopher-ursich avatar Oct 11 '22 12:10 christopher-ursich

Thank you for confirmation. Are you sure that your WebEnrollment service is configured correctly? I am not really a Microsoft Expert but what I understood is that it's possible to host CA and WebEnrollment Service on different systems, but such setup requires additional configuration.

Source: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc962056(v=technet.10)?redirectedfrom=MSDN https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v=ws.11)

From a2c side we do not care as we only know that address of the server providing the WebEnrollment Service and expect the certificate from there.

grindsa avatar Oct 11 '22 17:10 grindsa

have you been able to solve the issue?

grindsa avatar Oct 23 '22 06:10 grindsa

Hi, @grindsa. I apologize that I had to switch to another project and haven't made progress here. I will close this GitHub Issue for now, and come back to report any useful findings.

christopher-ursich avatar Oct 24 '22 18:10 christopher-ursich