Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cert Changes in Munki 5.5 Breaks Munki Runs #1095

Open
gmarnin opened this issue Jun 10, 2021 · 4 comments
Open

Cert Changes in Munki 5.5 Breaks Munki Runs #1095

gmarnin opened this issue Jun 10, 2021 · 4 comments

Comments

@gmarnin
Copy link
Contributor

gmarnin commented Jun 10, 2021

Server is Microsoft-IIS/8.5

On 10.15.7 with Munki 5.5 I get:

sudo managedsoftwareupdate -vvv
Password:
Managed Software Update Tool
Copyright 2010-2021 The Munki Project
https://github.com/munki/munki

Starting...
    No CA cert info provided, so nothing to add to System keychain.
    No client cert info provided, so no client keychain will be created.
Checking for available updates...
    No client id specified. Requesting rfo113m1.domain.edu...
    Manifest base URL is: https://domain.edu/munki/manifests/
    Getting manifest rfo113m1.domain.edu...
    Options: {'url': 'https://domain.edu/munki/manifests/rfo113m1.domain.edu', 'file': '/Library/Managed Installs/manifests/rfo113m1.domain.edu.download', 'follow_redirects': 'none', 'ignore_system_proxy': False, 'can_resume': False, 'additional_headers': {'User-Agent': 'managedsoftwareupdate/5.5.0.4360 Darwin/19.6.0', 'Authorization': 'Basic aXRzXG1hY211bmtpOk1NMjAxNCNy'}, 'download_only_if_changed': False, 'cache_data': None, 'logging_function': <function display_debug2 at 0x109680040>, 'pkginfo': None}
    URLSession_task_didReceiveChallenge_completionHandler_
    Authentication challenge for Host: domain.edu Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
    Allowing OS to handle authentication request
    URLSession_task_didReceiveChallenge_completionHandler_
    Authentication challenge for Host: domain.edu Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate
    Client certificate required
    The server didn't sent the list of acceptable certificate-issuing authorities
    Could not find matching identity
    Will attempt to authenticate
    Download error -999: cancelled
    Headers: None
ERROR: Could not retrieve managed install primary manifest.

I'm not using certs with Munki
defaults read /Library/Preferences/ManagedInstalls.plist shows:

UseClientCertificate = 0;
UseClientCertificateCNAsClientIdentifier = 0;

@np5
@np5
Copy link
Contributor

np5 commented Jun 10, 2021

It seems though that the server is requesting a client certificate (AuthMethod NSURLAuthenticationMethodClientCertificate), and because it is not sending the list of certificate authorities (maybe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, SendTrustedIssuerList == 0), the authentication is failing.

@gmarnin
Copy link
Contributor Author

gmarnin commented Jun 11, 2021

We found a misconfigured setting on the server that was set to request a cert for Munki. Once we flipped that setting off Munki started working again. Munki versions prior to 5.5.0 ignored that cert request and failed over to using basic auth which is correctly configured and works.

Is the log I posted above and the Munki run exiting without completing the intended behavior when the cert request is not correctly configured?

@np5
Copy link
Contributor

np5 commented Jun 11, 2021

Personally I like it when a program fails early for a good reason, without trying to recover in an unpredictable way.

But maybe we could use NSURLSessionAuthChallengePerformDefaultHandling when we cannot process the client certificate request, instead of NSURLSessionAuthChallengeCancelAuthenticationChallenge.

@gregneagle
Copy link
Contributor

That sounds reasonable, as if the OS cannot handle it with the default handling, it will eventually fail/cancel the request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@np5 @gregneagle @gmarnin