Client Certificate authentication issue and fix(?)
37 views
Skip to first unread message
Gregory Neagle
Feb 4, 2025, 2:12:01 PMFeb 4
to munki-dev, munki-discuss
If you use Client Certificate authentication with Munki (https://github.com/munki/munki/wiki/Using-Munki-With-SSL-Client-Certificates), please see
and
Since I cannot (easily) personally test any of this, I’m relying on people actually using Client Certificate authentication to test this proposed change and give us feedback.
-Greg
Rob Renstrom
Feb 4, 2025, 7:15:33 PMFeb 4
to munki-dev
I tested this proposed change with my client cert configuration, and it continues to work fine.
-rob
Gregory Neagle
Feb 4, 2025, 7:22:12 PMFeb 4
to munki-dev
Very helpful, thank you!
--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/munki-dev/865b1426-eeec-49d5-8ae3-53205e89ffccn%40googlegroups.com.
Gregory Neagle
Feb 6, 2025, 12:42:58 PMFeb 6
to munki-...@googlegroups.com, munki-dev
I’ve merged this change into the Munki6dev branch. If you use Client Certificate authentication, please test this change.
The easiest way to test might be to just grab a copy of this file https://github.com/munki/munki/blob/Munki6dev/code/client/munkilib/gurl.py and copy it to /usr/local/munki/munkilib/gurl.py on one or more test clients.
You could also build an entire new Munki tools package using `./code/tools/make_munki_mpkg_from_git.sh -b Munki6dev` from a git clone of the Munki repo. This is more complex, and will leave you with either an unsigned install of Munki, or (if you sign it yourself) a version not signed by the MacAdmins Open Source team.
-Greg
Brandon Friess
Feb 6, 2025, 2:08:06 PMFeb 6
to munki-dev
I tested this with our mTLS configuration and confirmed it is working.
-Brandon
Paul Hildahl
Feb 7, 2025, 9:19:02 AMFeb 7
to munki-dev
I've done some testing and it seems to be working for us -
Authentication challenge for Host: (redacted) Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
Allowing OS to handle authentication request
URLSession_task_didReceiveChallenge_completionHandler_
Authentication challenge for Host: (redacted) Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate
Client certificate required
Accepted certificate-issuing authority: Common Name: (redacted)
Found matching identity
Will attempt to authenticate
Status: 304
Allowing OS to handle authentication request
URLSession_task_didReceiveChallenge_completionHandler_
Authentication challenge for Host: (redacted) Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate
Client certificate required
Accepted certificate-issuing authority: Common Name: (redacted)
Found matching identity
Will attempt to authenticate
Status: 304
Reply all
Reply to author
Forward
0 new messages