simian.client.client.SimianClientError: Auth error: Sn is not signed by server cert

97 views
Skip to first unread message

Hesan Yousif

unread,
Sep 8, 2015, 6:39:34 PM9/8/15
to Simian Discuss
Hi guys,

Having a silly error when debugging a munch install on a client:

simian.client.client.SimianClientError: Auth error: Sn is not signed by server cert


Any ideas?

I deleted the Simian server keys (all of them), started again, deleted my app engine instance and then created a new one with all of the correct settings.

Full debug is:

/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/gae_client.zip/google/appengine/tools/dev_appserver_login.py:33: DeprecationWarning: the md5 module is deprecated; use hashlib instead


/usr/local/munki/simian/lib/python2.6/site-packages/tlslite-0.3.8-py2.6.egg/tlslite/utils/cryptomath.py:9: DeprecationWarning: the sha module is deprecated; use the hashlib module instead


WARNING:root:Ignoring invalid facter output line: sp_local_host_name =>


WARNING:root:facter hostname empty; fetching from sys_config


DEBUG:root:SimianClient.__init__(https://windlesham-ict-osx-1062.appspot.com [default=False], 443, True)


DEBUG:root:LoadHost(https://windlesham-ict-osx-1062.appspot.com, 443)


DEBUG:root:LoadHost(): hostname = windlesham-ict-osx-1062.appspot.com, port = None, use_https = True


DEBUG:root:_LoadRootCertChain()


DEBUG:root:_Get(root_ca_cert_chain_pem_path)


DEBUG:root:_GetExternalValue(root_ca_cert_chain_pem_path)


DEBUG:root:_GetExternalConfiguration(settings)


WARNING:root:Root CA Cert Chain was EMPTY!


DEBUG:root:GetSystemRootCACertChain: Executing ['/usr/bin/security', 'find-certificate', '-a', '-p', '/System/Library/Keychains/SystemRootCertificates.keychain']


DEBUG:root:GetSystemRootCACertChain: returning 323284 bytes


DEBUG:root:LoadCaParameters


DEBUG:root:_Get(ca_id)


DEBUG:root:_GetExternalValue(ca_id)


DEBUG:root:_GetExternalConfiguration(settings)


DEBUG:root:_Get(ca_public_cert_pem)


DEBUG:root:_GetExternalPem(ca_public_cert_pem)


DEBUG:root:_GetExternalConfiguration(ca_public_cert.pem)


DEBUG:root:_Get(server_public_cert_pem)


DEBUG:root:_GetExternalPem(server_public_cert_pem)


DEBUG:root:_GetExternalConfiguration(server_public_cert.pem)


DEBUG:root:_Get(required_issuer)


DEBUG:root:_GetExternalValue(required_issuer)


DEBUG:root:Loaded ca_params


DEBUG:root:_Get(ca_public_cert_pem)


DEBUG:root:_GetExternalPem(ca_public_cert_pem)


DEBUG:root:_Get(server_public_cert_pem)


DEBUG:root:_GetExternalPem(server_public_cert_pem)


DEBUG:root:_Get(required_issuer)


DEBUG:root:_GetExternalValue(required_issuer)


DEBUG:root:Loaded default_ca_params


DEBUG:root:SimianAuthClient._GetPuppetSslDetails


DEBUG:root:GetFacter: facter cache mtime is 2015-09-08 23:35:10


DEBUG:root:GetFacter: reading recent facter cache


DEBUG:root:GetFacter: read 8 entities


DEBUG:root:Certname from facter: "foo-cert-name"


DEBUG:root:_GetPuppetSslDetails(foo-cert-name.pem)


DEBUG:root:_ValidatePuppetSslCert: required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com


DEBUG:root:_ValidatePuppetSslCert: default_required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com


DEBUG:root:_ValidatePuppetSslCert: /etc/simian/ssl/certs/foo-cert-name.pem


DEBUG:root:Skipped cert foo-cert-name.pem, IO Error [Errno 2] No such file or directory: '/etc/simian/ssl/certs/foo-cert-name.pem'


ERROR:root:Failed to harvest Puppet SSL cert facter specified.


DEBUG:root:_GetNewestPuppetSslCert found certs C02Q3KQPFVH3.pem


DEBUG:root:_ValidatePuppetSslCert: required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com


DEBUG:root:_ValidatePuppetSslCert: default_required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com


DEBUG:root:_ValidatePuppetSslCert: /etc/simian/ssl/certs/C02Q3KQPFVH3.pem


DEBUG:root:Looking at issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com


DEBUG:root:_GetPuppetSslDetails found cert C02Q3KQPFVH3.pem with timestamp 1441751172.0


DEBUG:root:_GetPuppetSslDetails priv should be /etc/simian/ssl/private_keys/C02Q3KQPFVH3.pem


DEBUG:root:_Get(ca_id)


DEBUG:root:_GetExternalValue(ca_id)


DEBUG:root:_GetExternalConfiguration(settings)


DEBUG:root:_Get(ca_public_cert_pem)


DEBUG:root:_GetExternalPem(ca_public_cert_pem)


DEBUG:root:_Get(server_public_cert_pem)


DEBUG:root:_GetExternalPem(server_public_cert_pem)


DEBUG:root:_Get(required_issuer)


DEBUG:root:_GetExternalValue(required_issuer)


DEBUG:root:Do(POST, /auth) try #1


DEBUG:root:Connecting to https://windlesham-ict-osx-1062.appspot.com:None


DEBUG:root:Loaded 323284 bytes of CA cert chain and configured ctx


DEBUG:root:SSL configuring with context


DEBUG:root:SSL connect(('windlesham-ict-osx-1062.appspot.com', 443))


DEBUG:root:IsValidCert() ok=0 cert=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA, returning 0


DEBUG:root:SSL connected ('windlesham-ict-osx-1062.appspot.com', 443)


DEBUG:root:Requesting POST /auth


DEBUG:root:Waiting for response


DEBUG:root:Response status 200


Traceback (most recent call last):


  File "/usr/local/munki/simian_client.py", line 87, in <module>


    sys.exit(main(sys.argv[1:]))


  File "/usr/local/munki/simian_client.py", line 73, in main


    preflight.RunPreflight(runtype, server_url=server_url)


  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/mac/client/preflight.py", line 431, in RunPreflight


    secure_config, client_id, user_settings, client_exit)


  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/mac/client/preflight.py", line 140, in LoginToServer


    token = client.GetAuthToken()


  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/client.py", line 1828, in GetAuthToken


    self.DoSimianAuth()


  File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/client.py", line 1369, in DoSimianAuth


    ' '.join(self._auth1.ErrorOutput())))


simian.client.client.SimianClientError: Auth error: Sn is not signed by server cert


Thanks so much in advance,
Hesan

Justin McWilliams

unread,
Sep 9, 2015, 5:09:52 PM9/9/15
to Simian Discuss
This error means the server_private_key uploaded to App Engine and the server_public_cert on the client are not pairs.  One of them is wrong, but it's hard to say which.  If you're changing certs on the App Engine instance, ensure you're both removing from Datastore and Memcache before testing (i.e. delete the entity in Datastore, clear Memcache, and reupload new certs/keys)

--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hesan D Yousif

unread,
Sep 9, 2015, 5:11:56 PM9/9/15
to Simian Discuss

All sorted Justin. My required issuer was at fault!

Hesan

missinformed

unread,
Apr 18, 2017, 9:46:24 PM4/18/17
to Simian Discuss
Hesan & Justin -- I came upon this thread because I got the exact same error described above. Can you tell me what specifically was wrong with the required issuer? Is there a particular format that it's looking for?

I'm pretty sure that the server_private_key on App Engine and the server_public_cert on the client are pairs.

Any clues you can give me on what to try next?

Thanks,
Lillian

Allister Banks

unread,
Apr 18, 2017, 11:08:48 PM4/18/17
to simian-...@googlegroups.com
Hey Lillian,
I found this https://kb.wisc.edu/middleware/page.php?id=4064 which has a section on checking key vs. cert. I extracted the values to confirm the openssl md5 command section is applicable on our stuff in  the Datastore Settings entities (although it's been up and running for a while).
Allister 

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.

missinformed

unread,
Apr 19, 2017, 12:17:19 PM4/19/17
to Simian Discuss
Thanks! I did the comparison and the cert and the private key definitely match.

Hesan D Yousif

unread,
Apr 19, 2017, 2:35:02 PM4/19/17
to Simian Discuss
Hi Lillian,

Sorry for the late reply!

Can you post your simian settings.cfg file and also give me the output of running the following command:

openssl x509 -in newcerts/ca_public_cert.pem -issuer -noout
For me, I had put the incorrect issuer into the settings file!

Best wishes,
Hesan

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.

missinformed

unread,
Apr 24, 2017, 12:39:57 PM4/24/17
to Simian Discuss
Hesan, seems like it's my turn to apologize for the delayed response! Async FTW. (And thanks for chiming back in on a thread from 2 years ago!)

openssl x509 -in /Users/missinformed/dev/certificates/vault/certs/simian-example-XXXXX.appspot.com_crt -issuer -noout
issuer= /CN=example-XXXXX-production-root-simian

And the relevant line in settings.cfg:

# The full DN of the CA that Simian certificates are signed by.
required_issuer = CN=example-XXXXX-production-root-simian

Additional context: we're experimenting with an internal PKI based on Vault. The security engineer who built it out explained to me that the CN doesn't have to be a FQDN, at least for the purposes of his side of the house :)

I'm wondering if Simian expects a FQDN or some other format that I'm missing?

Thanks, and of course take your time responding! <3

Lillian
Reply all
Reply to author
Forward
0 new messages