[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Djerk Geurts via FreeIPA-users Tue, 02 Apr 2024 14:19:32 -0700

Hi Rob,

Here’s the content of the CSR:


-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDjTCCAnUCAQAwIjEgMB4GA1UEAxMXbGluMDEuaXhicnUuaXBuZXhpYS5jb20w
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5co5U1FjtghUjNCUIwWBO
 +5b5cPGOR8Z3n6+MrUFmawrJmSS0MBkZJMRfxE2MQnNTm8zo0ASTQr2fyFqOLqdV
 PBCEcGBpNR0eaUKkqfo0ZatKVDJiYRSb+3/Nu2jyLOgHctGYzjXQ5DEgqnoHpUF8
 QTgv1n19zh3Fa7Oc1E7ZANtkaA6lXHCb+a+Vgp7d/TYrMPOVoLrnJywFC0fIOCvP
 5Yuf8hE+ayMqhJqvYzYa3rrdcKWQkreCYr2Jjgtbpe/RN6XvHXAWz2GsttXk3CsI
 yLLtR6xSCCXR5m8QSobU1HJG+ztqaSVUaFWqzjhqLdwGQledPY3oH60r/UneQ6Lj
 AgMBAAGgggEkMCsGCSqGSIb3DQEJFDEeHhwAMgAwADIANAAwADQAMAAyADEANwAz
 ADUAMgAwMIH0BgkqhkiG9w0BCQ4xgeYwgeMwgbAGA1UdEQEBAASBpTCBooIXbGlu
 MDEuaXhicnUuaXBuZXhpYS5jb22gOAYKKwYBBAGCNxQCA6AqDChIVFRQL2xpbjAx
 Lml4YnJ1LmlwbmV4aWEuY29tQElQTkVYSUEuQ09NoEcGBisGAQUCAqA9MDugDRsL
 SVBORVhJQS5DT02hKjAooAMCAQGhITAfGwRIVFRQGxdsaW4wMS5peGJydS5pcG5l
 eGlhLmNvbYcECv8OBTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQ4324k861U
 Od3oR01IY2KjHEaxQjANBgkqhkiG9w0BAQsFAAOCAQEAVatcK3DB/WU5gEcNOkbd
 lHYB9CiyT32ylgZY1Q8W8qsT60Z9PXzsvTkNl/d5ttuAiWxQm26dpij6NzEz1RW0
 cmvMmVQxFhX+fzptlEZWu56B44uoBidEcAisSHIoAyPVmYvKEkzRCyjtGAR0boIW
 iV6+wEno9Xz84IaQhpoRYqsbfIRnbJ2IoV2DgjjyhsCappzZ4Ste39zwbhnh65Bv
 cQDkpPu3YmBCiX3f6Ml2ZKwkjo3o0sT8CH40agaonp7MR/Yecnf4Jsx6gOZYzr6m
 Of+35h3ncaQOr430Eqr2VzrsoizHwittMo3mKp1RRZgrYaHBnV9Z9+O+ifM8Jsjx
 4g==
 -----END NEW CERTIFICATE REQUEST-----

I can’t see any difference between this CSR and others that worked before. 
Could it be an issue with an updated version of ipa-client or openssl? I tested 
issuing a new certificate from a Ubuntu 22.04 host and that worked just fine. 
Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu 22.04 have v3.0.2.

The certificate ws requested with: sudo ipa-getcert request -N ${service} -K 
HTTP/${service} -k /etc/ssl/private/${service}.key -f 
/etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} | awk 
'NF>1{print $NF}’)

Which has worked fine for us for over two years.

Thanks,
Djerk Geurts

> On 2 Apr 2024, at 22:29, Rob Crittenden <[email protected]> wrote:
> 
> Djerk Geurts via FreeIPA-users wrote:
>> Hi,
>> 
>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
>> first time I’m getting round to requesting a new certificate, and it’s
>> failing from a server we use to manage several certificates for non-IPA
>> client hosts.
>> 
>> Output of ipa-getcert list:
>> 
>> Request ID '20240402190326':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://ipa.domain.com/ipa/xml failed
>> request, will retry: 903 (RPC failed at server.  an internal error has
>> occurred).
>>         stuck: no
>>         key pair storage:
>> type=FILE,location='/etc/ssl/private/host.domain.com.key'
>>         certificate: type=FILE,location='/etc/ssl/certs/host.domain.com.crt'
>>         CA: IPA
>>         issuer:
>>         subject:
>>         expires: unknown
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> 
>> The httpd log on the IPA server:
>> 
>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>> single-valued attributes are supported
>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in
>> wsgi_execute
>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     result = command(*args, **options)
>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>> __call__
>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>> __do_call
>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     ret = self.run(*args, **options)
>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]   File
>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716,
>> in execute
>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]     ext_san = csr.extensions.get_extension_for_oid(
>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>> supported
>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>> host/[email protected]: cert_request(‘MIID**********d1A==',
>> principal='HTTP/[email protected]', add=True, version='2.51'):
>> InternalError
>> 
>> The requesting machine is allowed to manage both the host and the
>> service. Requesting the certificate on the IPA server itself works fine.
>> I’ve read elsewhere that this could be an incompatibility between the
>> client and the server.
>> 
>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>> Server: Fedora 39, ipa-server: v4.11.1
> 
> Can we see the whole CSR? You should be able to find it in the
> certmonger request file in /var/lib/certmonger/requests/<some value>
> Sometimes the value matches the Request ID but not always.
> 
> It is the parsing of the CSR where it blew up, getting multiple values
> where only one was expected.
> 
> rob

--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Reply via email to