On 12/24/19 10:26 AM, Petar Kozić via FreeIPA-users wrote:
I found that is bug in python module. I solved and installed my SSL when I do this: https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157 Can this be a problem in the future if I continue to using Let’s encrypt?Full debug log:ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpBxKREw', '-V', '-n', "my.real.domain.name.is.here - Let's Encrypt", '-u', 'V', '-f', '/tmp/tmpBxKREw/pwdfile.txt']ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid ipapython.ipautil: DEBUG: stderr=ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in executereturn_value = self.run()File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in runself.replace_http_cert()File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_certhost_name=api.env.hostFile "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12**kwargs)File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1193, in load_pkcs12nssdb.verify_server_cert_validity(key_nickname, host_name)File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 858, in verify_server_cert_validitycert.match_hostname(hostname)File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in match_hostnamevalues = self.san_a_label_dns_namesFile "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in san_a_label_dns_namesgns = self.__pyasn1_get_san_general_names()File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_namesext['extnValue'], asn1Spec=univ.OctetString())[0]File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__'%s not in asn1Spec: %r' % (tagSet, asn1Spec)
Hi,the message looks similar to the one from issue 7685 (https://pagure.io/freeipa/issue/7685), which was solved in ipa 4.7.1. Which version of freeipa are you using? And which version of python3-pyasn1?
flo
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1>ipapython.admintool: ERROR: The ipa-server-certinstall command failed.Thank you, when I put path looks different, but with new error :(<TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at 0x7f0e1d9323d0 tags 0:0:4>encoding iso-8859-1> The ipa-server-certinstall command failed.On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud ([email protected] <mailto:[email protected]>) wrote:On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote: > Hi folks, > > I have one IPA server in production for my small environment. There I > set Let’s Encrypt CA root and issue .p12 cert without problem. > > Now, I want to install FreeIPA on VPS, but I have problem with Let’s > encrypt SSL. I can’t import SSL. > > First, I imported CA certficates: > > ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem > > ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer > > ipa-certupdate -v > > That’s all ok. > > But than, I generate new p12 > > with command: > > openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 > -certfile fullchain.pem > > Than, ask me for pass and that all is ok. > > When I run: > > ipa-server-certinstall -w ipa.p12 -v > > ask me for Directory pass and pass which I enter in step above, > than I get error: > > ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 > ipapython.ipautil: DEBUG: Starting external process > ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', > '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', > '/tmp/tmpauWQ5Z/pwdfile.txt'] > ipapython.ipautil: DEBUG: Process finished, return code=0 > ipapython.ipautil: DEBUG: stdout= > ipapython.ipautil: DEBUG: stderr= > ipapython.ipautil: DEBUG: Starting external process > ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', > 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', > '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] > ipapython.ipautil: DEBUG: Process finished, return code=10 > ipapython.ipautil: DEBUG: stdout= > ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: > PR_FILE_NOT_FOUND_ERROR: File not found > > ipapython.admintool: DEBUG: File > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 116, in run > self.replace_http_cert() > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 156, in replace_http_cert > host_name=api.env.host > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 201, in load_pkcs12 > **kwargs) > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", > line 1151, in load_pkcs12 > raise ScriptError(str(e)) > > ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, > exception: ScriptError: Failed to load ipa.p12 > ipapython.admintool: ERROR: Failed to load ipa.p12 > ipapython.admintool: ERROR: The ipa-server-certinstall command failed. > > > Some ideas ? > Hi,Did you try to provide the full path to ipa.p12? Check the file permissions?flo > *—* > * > * > *Petar Kozić* > System Administrator > > *mobile: *+381 6 <callto:+381%2060%2006%2088%20008>4 83 44 310* > *> *e-mail:* [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> > Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija > > _______________________________________________> FreeIPA-users mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] <mailto:[email protected]>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/[email protected] >_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
