Djerk Geurts via FreeIPA-users wrote: > Hi, > > A month or so ago we upgraded from Fedora 37 to 39. I guess this is the > first time I’m getting round to requesting a new certificate, and it’s > failing from a server we use to manage several certificates for non-IPA > client hosts. > > Output of ipa-getcert list: > > Request ID '20240402190326': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.domain.com/ipa/xml failed > request, will retry: 903 (RPC failed at server. an internal error has > occurred). > stuck: no > key pair storage: > type=FILE,location='/etc/ssl/private/host.domain.com.key' > certificate: type=FILE,location='/etc/ssl/certs/host.domain.com.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > The httpd log on the IPA server: > > [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only > single-valued attributes are supported > [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] Traceback (most recent call last): > [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in > wsgi_execute > [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] result = command(*args, **options) > [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in > __call__ > [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] return self.__do_call(*args, **options) > [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in > __do_call > [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ret = self.run(*args, **options) > [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run > [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] return self.execute(*args, **options) > [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, > in execute > [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ext_san = csr.extensions.get_extension_for_oid( > [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are > supported > [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] > host/[email protected]: cert_request(‘MIID**********d1A==', > principal='HTTP/[email protected]', add=True, version='2.51'): > InternalError > > The requesting machine is allowed to manage both the host and the > service. Requesting the certificate on the IPA server itself works fine. > I’ve read elsewhere that this could be an incompatibility between the > client and the server. > > Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 > Server: Fedora 39, ipa-server: v4.11.1
Can we see the whole CSR? You should be able to find it in the certmonger request file in /var/lib/certmonger/requests/<some value> Sometimes the value matches the Request ID but not always. It is the parsing of the CSR where it blew up, getting multiple values where only one was expected. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
