There was a bug in the DER encoding that certmonger used when generating the CSR. python-cryptography allowed it for a while, then complained loudly about it and now no longer accepts it. Upgrading certmonger is the proper fix.
rob Djerk Geurts wrote: > Ubuntu 20.04: Certmonger v0.79.9 << fails > Ubuntu 22.04: Certmonger v0.79.14 << works > >> On 3 Apr 2024, at 00:27, Rob Crittenden <[email protected]> wrote: >> >> I can reproduce the issue with your CSR but I don't know yet what >> python-cryptography doesn't like about it. >> >> Older versions of python-cryptography yield different errors but the >> issue is still elusive. I'm looking at the ASN1 encoding. >> >> What version of certmonger is installed on the machine that made the >> request? >> >> rob >> >> Djerk Geurts via FreeIPA-users wrote: >>> Hi Rob, >>> >>> >>> I can’t see any difference between this CSR and others that worked >>> before. Could it be an issue with an updated version of ipa-client or >>> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and >>> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu >>> 22.04 have v3.0.2. >>> >>> The certificate ws requested with: sudo ipa-getcert request -N >>> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f >>> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} | >>> awk 'NF>1{print $NF}’) >>> >>> Which has worked fine for us for over two years. >>> >>> Thanks, >>> Djerk Geurts >>> >>>> On 2 Apr 2024, at 22:29, Rob Crittenden <[email protected]> wrote: >>>> >>>> Djerk Geurts via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the >>>>> first time I’m getting round to requesting a new certificate, and it’s >>>>> failing from a server we use to manage several certificates for non-IPA >>>>> client hosts. >>>>> >>>>> Output of ipa-getcert list: >>>>> >>>>> Request ID '20240402190326': >>>>> status: CA_UNREACHABLE >>>>> ca-error: Server at https://ipa.domain.com/ipa/xml failed >>>>> request, will retry: 903 (RPC failed at server. an internal error has >>>>> occurred). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/etc/ssl/private/host.domain.com.key' >>>>> certificate: >>>>> type=FILE,location='/etc/ssl/certs/host.domain.com.crt' >>>>> CA: IPA >>>>> issuer: >>>>> subject: >>>>> expires: unknown >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> The httpd log on the IPA server: >>>>> >>>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only >>>>> single-valued attributes are supported >>>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] Traceback (most recent call last): >>>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in >>>>> wsgi_execute >>>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] result = command(*args, **options) >>>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in >>>>> __call__ >>>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] return self.__do_call(*args, **options) >>>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in >>>>> __do_call >>>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ret = self.run(*args, **options) >>>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run >>>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] return self.execute(*args, **options) >>>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, >>>>> in execute >>>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ext_san = >>>>> csr.extensions.get_extension_for_oid( >>>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are >>>>> supported >>>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] >>>>> host/[email protected]: cert_request(‘MIID**********d1A==', >>>>> principal='HTTP/[email protected]', add=True, version='2.51'): >>>>> InternalError >>>>> >>>>> The requesting machine is allowed to manage both the host and the >>>>> service. Requesting the certificate on the IPA server itself works fine. >>>>> I’ve read elsewhere that this could be an incompatibility between the >>>>> client and the server. >>>>> >>>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 >>>>> Server: Fedora 39, ipa-server: v4.11.1 >>>> >>>> Can we see the whole CSR? You should be able to find it in the >>>> certmonger request file in /var/lib/certmonger/requests/<some value> >>>> Sometimes the value matches the Request ID but not always. >>>> >>>> It is the parsing of the CSR where it blew up, getting multiple values >>>> where only one was expected. >>>> >>>> rob >>> >>> >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
