Issue metadata
Sign in to add a comment
|
Server CA certificate not getting populated for policy pushed networks. |
||||||||||||||||||||||
Issue description
Chrome Version: <From about:version: Google Chrome 70.0.3538.14>
Chrome OS Version: <From about:version: Platform 11021.11.0>
Chrome OS Platform: <Samus>
Network info: <WiFi>
Please specify Cr-* of the system to which this bug/feature applies (add
the label below).
Steps To Reproduce:
(1) Sign-in as an enterprise user which has an EAP-TLS network configured.
(2) Select the EAP-TLS network and click configure.
Expected Result:
Server CA certificate should be populated with the CA cert, configured in the Cpanel.
Actual Result:
Server CA certificate dropdown does not show the configured CA certificate.
chrome://policy
"Type": "WiFi",
"WiFi": {
"AutoConnect": false,
"EAP": {
"ClientCertPattern": {
"EnrollmentURI": [ "http://www.radius.com/certs/download.php" ],
"Issuer": {
"CommonName": "radius-ca",
"Organization": "Google",
"OrganizationalUnit": "ChromeOS"
},
"Subject": {
"CommonName": "radius-client",
"Organization": "Google",
"OrganizationalUnit": "ChromeOS"
}
},
"ClientCertType": "Pattern",
"Identity": "CrOS",
"Outer": "EAP-TLS",
"Recommended": [ "AnonymousIdentity", "Identity", "Password" ],
"SaveCredentials": true,
"ServerCARef": "{ec4cb0aa-25a4-4e7b-9e6f-b71def059de0}",
"UseSystemCAs": true
},
"HiddenSSID": false,
"SSID": "CrOS_WPA2_LinksysE3000N_5GHz",
"Security": "WPA-EAP"
}
How frequently does this problem reproduce? (Always, sometimes, hard to
reproduce?)
Always.
What is the impact to the user, and is there a workaround? If so, what is
it?
Please provide any additional information below. Attach a screen shot or
log if possible.
For graphics-related bugs, please copy/paste the contents of the about:gpu
page at the end of this report.
Will check on other devices and update.
,
Sep 10
Can you confirm that the certificate is installed on the device? I was just testing this UI for another bug. Also, could you file + link a feedback report, or copy/paste the ONC and Shill details for the network configuration from chrome://network?
,
Sep 11
Did you mean to RB-Dev this, considering 70's status? >> It looks like a critical issue so marked it as RB-Dev Can you provide the certificate that's having trouble / the full policy (perhaps as a private attachment?) In particular, the server certificate would be useful, but it would be better if the full policy can be included. >> https://drive.google.com/open?id=0B-aAKM12pbimdGtZOTRIb1gyME0yWmVMRTlnRi1xZDJqQndj >> cert --> https://drive.google.com/file/d/0B-aAKM12pbimVDRsNkh0TE01T3FNR0lPSC0zNkM0Vnh4TFZn/view?usp=sharing Can you confirm that the certificate is installed on the device? I was just testing this UI for another bug. >> Yes, CA certificate is installed on the device. Also, could you file + link a feedback report, or copy/paste the ONC and Shill details for the network configuration from chrome://network? >> https://listnr.corp.google.com/report/85652911370 >> chrome://network logs --> https://paste.googleplex.com/5266320744513536
,
Sep 11
The network appears to be configured correctly, it's not obvious why the UI is not recognizing the certificate. Question: Does saving the network configuration succeed, or does that break the configuration? i.e. is this just UI confusion, or does it actually break the ability to connect to the network? Changing this to RBS. This behavior has almost certainly been around since we introduced the new web based network configuration UI (in 66 I think?). aashutoshk@ - can you email me login info for a test user with the network configured so that I can reproduce this locally and investigate?
,
Sep 11
Question: Does saving the network configuration succeed, or does that break the configuration? i.e. is this just UI confusion, or does it actually break the ability to connect to the network? >> It is UI confusion and does not break the ability to connect to the network. Changing this to RBS. This behavior has almost certainly been around since we introduced the new web based network configuration UI (in 66 I think?). >> I checked on M68 before filing the issue, and it does not see this issue. This is most likely an M70 issue. I will check M69 build and update the result. aashutoshk@ - can you email me login info for a test user with the network configured so that I can reproduce this locally and investigate? Sure! will do.
,
Sep 11
aashutoshk@ - Could you describe how you confirmed whether the certificate is installed correctly? Also, when you click on the Server CA dropdown, does the server CA appear in the list? I logged on with the test account, and while the network is configured with the PEM, there do net appear to be any server CAs installed. So either the CA is not actually there, or a recent certificate related change is causing NetworkCertificateHandler to fail to provide the cert to NetworkingPrivateChromeOS.
,
Sep 12
aashutoshk@ - Could you describe how you confirmed whether the certificate is installed correctly? >> The CA cert shows up under Authorities tab in chrome://settings/certificates. Also, when you click on the Server CA dropdown, does the server CA appear in the list? >> No, it does not appear. Also, I would like to repeat that we can connect to the network, so most likely this is a UI issue with the drop-down
,
Sep 12
pmarko@ - Is 'Authorities' the correct location to look for a server CA? I see a lot of certificates listed there that do not appear in the CA dropdown, i.e. are not returned by NetworkCertificateHandler::server_ca_certificates(), which is populated via chromeos::CertLoader. What identifies a valid server CA? Based on those answers, I suspect some semi-recent certificate refactoring is causing CertLoader or NetworkCertificateHandler::ProcessCertificates to fail to correctly identify server CAs.
,
Sep 12
Also, aashutoshk@, have you been able to verify whether this repros in 69? If not, it would be helpful to establish which 70 release introduced this.
,
Sep 12
It's possible that the UI is confused since my recent changes to avoid permanently importing policy-pushed server and CA certificates. Probably CertLoader will have to be made explicitly aware of these certs. I think the onc_to_shill translator will still populate the shill config correctly. What's probably broken is pushing CA certs through policy, and then being able to manually select them in the network UI. I'll take a look tomorrow.
,
Sep 12
Does not happen on M69. Tested on Epaulette R69-10895.48.0.
,
Sep 12
To answer your question from Comment #8: Yes, Authorities is the place to look. However, NetworkCertificateHandler ignores CAs built into chrome, so you'll see many in the cert manager which do not appear in the drop-down. I do think this is a regression due to fixing bug 787602 . Luckily, the fix should be simple: we'll need to hook up CertLoader to the user's PolicyCertificateProvider. (BTW, Not sure what to do with device ONC pushed CA certs, but these were not selectable on the sign in screen before either so that part is not a regression). I'll see if I can come up with a CL tomorrow.
,
Sep 12
Sounds good, thanks!
,
Sep 18
I've started this https://chromium-review.googlesource.com/c/chromium/src/+/1231937 and will send it for review when it passes the dry run.
,
Sep 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3bab3afdf6aaa15977e6041948c4432cdde1ebdc commit 3bab3afdf6aaa15977e6041948c4432cdde1ebdc Author: Pavol Marko <pmarko@chromium.org> Date: Mon Sep 24 14:42:17 2018 Make CertLoader aware of policy-provided authority certificates Make CertLoader explicitly aware of authority certificates provided by device and user policy. Rationale: Since the refactoring in https://crbug.com/787602 , policy-provided certificates are not imported into the user's NSS Database anymore. As a bonus, this also makes device policy proivded CA certificates available to CertLoader (and thus the chromeos network UI). To do this in a clean way, (*) The PolicyCertificateProvider interface has been moved from chrome/browser/chromeos/policy/ to chromeos/ so it is accessible from chromeos/cert_loader.{h,cc}. (*) Implementation of the PolicyCertificateProvider has been pushed from UserNetworkConfigurationUpdater into the base class NetworkConfigurationUpdater, so DeviceNetworkConfigurationUpdater also implements the interface now. (*) CertLoader can now accept a PolicyCertificateProvider for device and user policy. (*) The chromeos-specific code in chrome/browser/chromeos now passes the global DeviceNetworkConfigurationUpdater and the primary profile's UserNetworkConfigurationUpdater to CertLoader. browser_test --gtest_filter=PolicyProvidedTrustAnchorsRegularUserTest.AuthorityAvailableThroughCertLoader Bug: 882641 , 787602 Test: chromeos_unittests --gtest_filter=*CertLoader* && Change-Id: Iafb213150f3c9dbfdfe1ecd1a1f9d2a0099a30f2 Reviewed-on: https://chromium-review.googlesource.com/1231937 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#593534} [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model_unittest.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/BUILD.gn [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/device_network_configuration_updater.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/device_network_configuration_updater.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/policy_cert_service.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/BUILD.gn [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader.h [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader_unittest.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/network/client_cert_resolver.cc [modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/network/client_cert_resolver_unittest.cc [rename] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/policy_certificate_provider.h [add] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/test/data/network/root_ca_cert.pem
,
Sep 24
aashutoshk@, would you mind verifying that the fix works correctly when it lands in a canary/dev version? Thanks!
,
Sep 24
[Auto-generated comment by a script] We noticed that this issue is targeted for M-70; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-70 label, otherwise remove Merge-TBD label. Thanks.
,
Sep 24
Adding Merge-Request-70 so we don't forget that the fix needs to be merged once it's verified.
,
Sep 24
I will verify the fix once it lands on dev channel. Thanks!
,
Sep 25
This bug requires manual review: M70 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 25
,
Sep 25
The issue is still happening on latest Eve ToT (M71-11097.0.0). I was not able to establish the exact build the fix got merged, most likely the fix is not in this build. I will check back by the end of the week and update this issue.
,
Sep 26
This should be in 71.0.3560.0, I can check tomorrow which Chrome OS build that is part of.
,
Sep 26
According to goldeneye, the fix should be included in M71-11100.0.0 or later, which is not live yet on dev channel.
,
Sep 27
FYI: 11105.0.0 seems to be live on Canary now, but Dev channel is still on 11097.0.0.
,
Sep 28
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29
FYI: I'll prepare a merge CL shortly but will wait with submitting it for verification on ToT.
,
Oct 1
I've prepared the merge CL https://chromium-review.googlesource.com/c/chromium/src/+/1253625 .
,
Oct 1
The fix is working as expected. Tested on Eve R71-11117.0.0.
,
Oct 1
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e4492101680e841bd69b31cd87b6949b229dc05a commit e4492101680e841bd69b31cd87b6949b229dc05a Author: Pavol Marko <pmarko@chromium.org> Date: Mon Oct 01 21:58:39 2018 [Merge to M70] Make CertLoader aware of policy-provided authority certificates Make CertLoader explicitly aware of authority certificates provided by device and user policy. Rationale: Since the refactoring in https://crbug.com/787602 , policy-provided certificates are not imported into the user's NSS Database anymore. As a bonus, this also makes device policy proivded CA certificates available to CertLoader (and thus the chromeos network UI). To do this in a clean way, (*) The PolicyCertificateProvider interface has been moved from chrome/browser/chromeos/policy/ to chromeos/ so it is accessible from chromeos/cert_loader.{h,cc}. (*) Implementation of the PolicyCertificateProvider has been pushed from UserNetworkConfigurationUpdater into the base class NetworkConfigurationUpdater, so DeviceNetworkConfigurationUpdater also implements the interface now. (*) CertLoader can now accept a PolicyCertificateProvider for device and user policy. (*) The chromeos-specific code in chrome/browser/chromeos now passes the global DeviceNetworkConfigurationUpdater and the primary profile's UserNetworkConfigurationUpdater to CertLoader. browser_test --gtest_filter=PolicyProvidedTrustAnchorsRegularUserTest.AuthorityAvailableThroughCertLoader TBR=pmarko@chromium.org (cherry picked from commit 3bab3afdf6aaa15977e6041948c4432cdde1ebdc) Bug: 882641 , 787602 Test: chromeos_unittests --gtest_filter=*CertLoader* && Change-Id: Iafb213150f3c9dbfdfe1ecd1a1f9d2a0099a30f2 Reviewed-on: https://chromium-review.googlesource.com/1231937 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#593534} Reviewed-on: https://chromium-review.googlesource.com/1253625 Reviewed-by: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/branch-heads/3538@{#792} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model_unittest.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/BUILD.gn [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/device_network_configuration_updater.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/device_network_configuration_updater.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/policy_cert_service.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/BUILD.gn [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader.h [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader_unittest.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/network/client_cert_resolver.cc [modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/network/client_cert_resolver_unittest.cc [rename] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/policy_certificate_provider.h [add] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/test/data/network/root_ca_cert.pem
,
Oct 1
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e4492101680e841bd69b31cd87b6949b229dc05a Commit: e4492101680e841bd69b31cd87b6949b229dc05a Author: pmarko@chromium.org Commiter: pmarko@chromium.org Date: 2018-10-01 21:58:39 +0000 UTC [Merge to M70] Make CertLoader aware of policy-provided authority certificates Make CertLoader explicitly aware of authority certificates provided by device and user policy. Rationale: Since the refactoring in https://crbug.com/787602 , policy-provided certificates are not imported into the user's NSS Database anymore. As a bonus, this also makes device policy proivded CA certificates available to CertLoader (and thus the chromeos network UI). To do this in a clean way, (*) The PolicyCertificateProvider interface has been moved from chrome/browser/chromeos/policy/ to chromeos/ so it is accessible from chromeos/cert_loader.{h,cc}. (*) Implementation of the PolicyCertificateProvider has been pushed from UserNetworkConfigurationUpdater into the base class NetworkConfigurationUpdater, so DeviceNetworkConfigurationUpdater also implements the interface now. (*) CertLoader can now accept a PolicyCertificateProvider for device and user policy. (*) The chromeos-specific code in chrome/browser/chromeos now passes the global DeviceNetworkConfigurationUpdater and the primary profile's UserNetworkConfigurationUpdater to CertLoader. browser_test --gtest_filter=PolicyProvidedTrustAnchorsRegularUserTest.AuthorityAvailableThroughCertLoader TBR=pmarko@chromium.org (cherry picked from commit 3bab3afdf6aaa15977e6041948c4432cdde1ebdc) Bug: 882641 , 787602 Test: chromeos_unittests --gtest_filter=*CertLoader* && Change-Id: Iafb213150f3c9dbfdfe1ecd1a1f9d2a0099a30f2 Reviewed-on: https://chromium-review.googlesource.com/1231937 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#593534} Reviewed-on: https://chromium-review.googlesource.com/1253625 Reviewed-by: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/branch-heads/3538@{#792} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
,
Oct 3
Aashutosh, please test on M70 and mark this bug as verified.
,
Oct 9
Candy 11021.34.0
,
Nov 6
Hi, Is the fix really available in M70? I have received the follow case from one of our Enterprise customers, They have tried the behavior in M70 but this does not work for them. Did we miss something? unify# 17425739 |======Product Information======| - Affected domain: ** Working environment ** - Chrome OS version. 69 and 70.0.3538.76 - Domain managed devices? yes |======Issue Definition======| - Issue description: Chrome devices will change the value of Server CA certificate during enrollment. - Steps to reproduce 1) Wipe the device 2) Enroll the Chromebook 3) The device will disconnect during the enrollment process 4) The user connects manually to the network, the value is set to "Default" even when they have configured "Do not check" in the Admin Console - Timeframe when issue started: Since version 69 - Does it affect all devices? The issue can be reproduced in all his devices - Existing Workaround: Connect manually |======Consult Files & Notes ======| -Json file of policies -Debug logs Nov 5, 2018 Issue reproduced at 3:50-3:52 PM Pacific time https://drive.google.com/open?id=1uWl__YQXXuuWRiASPiHljJjTFiKT4Qra Thank you for your help!
,
Nov 6
Re Comment #34: This would be an unrelated issue, because this bug is only about: - a regression introduced in M-70, while the report above talks about M-69 too - about policy-pushed certificates, not the 'Do not check' option. I've filed https://bugs.chromium.org/p/chromium/issues/detail?id=902236 to track the investigation and will take a look shortly.
,
Nov 19
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rsleevi@chromium.org
, Sep 10Components: -Internals>Network>Certificate -UI>Browser>CertificateViewer
Labels: Needs-Feedback