acme2certifier
acme2certifier copied to clipboard
get_chain() fails. Does a2c assume that MS ADCS CEWS is running on the same server as the CA?
I have ADCS Certificate Enrollment Web Service (CEWS) running on a separate server than my actual ADCS CA. After my Linux client successfully completes the ACME challenge and calls finalize, acme2certifier produces this sequence of errors:
ca_server.get_chain() failed with error: 'NoneType' object has no attribute 'group'
ca_server.get_cert() failed with error: An unknown error occured
cert bundling failed
acme2certifier enrollment error: cert bundling failed
I read the code and found this line: https://github.com/grindsa/acme2certifier/blob/513e01f06401bc5df32c826286845211ed89fee9/examples/ca_handler/certsrv.py#L285 When I attempt to view the corresponding URL on my CEWS server using a browser, I get a nicely-formatted ADCS error page, stating
An unexpected error has occurred: The Certification Authority Service has not been started.
In fact, the Certification Authority service is not even installed on this server because it is not the CA.
So my question is, Does acme2certifier require/assume that CEWS is running on the same server as the CA?
Thanks very much. Chris Ursich
Hi,
we do not expect CA and CEWS server to be located on the same system. Which host did you configure in acme_srv.cfg
? I am asking as you need to specify the CEWS server....
Hi.
My acme_srv.cfg
is pointed to the CEWS server.
root@7a2f2faacfae:/var/www/acme2certifier/volume# env | grep MYACME_HOST
MYACME_HOST=webca03.lab03.xxxxxxxxxxx
root@7a2f2faacfae:/var/www/acme2certifier/volume# cat acme_srv.cfg | grep MYACME_HOST
host_variable: MYACME_HOST
Thank you for confirmation. Are you sure that your WebEnrollment service is configured correctly? I am not really a Microsoft Expert but what I understood is that it's possible to host CA and WebEnrollment Service on different systems, but such setup requires additional configuration.
Source: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc962056(v=technet.10)?redirectedfrom=MSDN https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v=ws.11)
From a2c side we do not care as we only know that address of the server providing the WebEnrollment Service and expect the certificate from there.
have you been able to solve the issue?
Hi, @grindsa. I apologize that I had to switch to another project and haven't made progress here. I will close this GitHub Issue for now, and come back to report any useful findings.