Ubuntu 20.04: Certmonger v0.79.9 << fails Ubuntu 22.04: Certmonger v0.79.14 << works
> On 3 Apr 2024, at 00:27, Rob Crittenden <[email protected]> wrote: > > I can reproduce the issue with your CSR but I don't know yet what > python-cryptography doesn't like about it. > > Older versions of python-cryptography yield different errors but the > issue is still elusive. I'm looking at the ASN1 encoding. > > What version of certmonger is installed on the machine that made the > request? > > rob > > Djerk Geurts via FreeIPA-users wrote: >> Hi Rob, >> >> >> I can’t see any difference between this CSR and others that worked >> before. Could it be an issue with an updated version of ipa-client or >> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and >> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu >> 22.04 have v3.0.2. >> >> The certificate ws requested with: sudo ipa-getcert request -N >> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f >> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} | >> awk 'NF>1{print $NF}’) >> >> Which has worked fine for us for over two years. >> >> Thanks, >> Djerk Geurts >> >>> On 2 Apr 2024, at 22:29, Rob Crittenden <[email protected]> wrote: >>> >>> Djerk Geurts via FreeIPA-users wrote: >>>> Hi, >>>> >>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the >>>> first time I’m getting round to requesting a new certificate, and it’s >>>> failing from a server we use to manage several certificates for non-IPA >>>> client hosts. >>>> >>>> Output of ipa-getcert list: >>>> >>>> Request ID '20240402190326': >>>> status: CA_UNREACHABLE >>>> ca-error: Server at https://ipa.domain.com/ipa/xml failed >>>> request, will retry: 903 (RPC failed at server. an internal error has >>>> occurred). >>>> stuck: no >>>> key pair storage: >>>> type=FILE,location='/etc/ssl/private/host.domain.com.key' >>>> certificate: >>>> type=FILE,location='/etc/ssl/certs/host.domain.com.crt' >>>> CA: IPA >>>> issuer: >>>> subject: >>>> expires: unknown >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> >>>> The httpd log on the IPA server: >>>> >>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only >>>> single-valued attributes are supported >>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] Traceback (most recent call last): >>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] File >>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in >>>> wsgi_execute >>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] result = command(*args, **options) >>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ >>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] File >>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in >>>> __call__ >>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] return self.__do_call(*args, **options) >>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] File >>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in >>>> __do_call >>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ret = self.run(*args, **options) >>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] File >>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run >>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] return self.execute(*args, **options) >>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] File >>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, >>>> in execute >>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ext_san = >>>> csr.extensions.get_extension_for_oid( >>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ >>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are >>>> supported >>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] >>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] >>>> host/[email protected]: cert_request(‘MIID**********d1A==', >>>> principal='HTTP/[email protected]', add=True, version='2.51'): >>>> InternalError >>>> >>>> The requesting machine is allowed to manage both the host and the >>>> service. Requesting the certificate on the IPA server itself works fine. >>>> I’ve read elsewhere that this could be an incompatibility between the >>>> client and the server. >>>> >>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 >>>> Server: Fedora 39, ipa-server: v4.11.1 >>> >>> Can we see the whole CSR? You should be able to find it in the >>> certmonger request file in /var/lib/certmonger/requests/<some value> >>> Sometimes the value matches the Request ID but not always. >>> >>> It is the parsing of the CSR where it blew up, getting multiple values >>> where only one was expected. >>> >>> rob >> >> >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
