Please send your findings upstream. They say that this was tested with
0.3.7 and 0.4.4, so it's a bit surprising if it breaks here.
** Changed in: freeipa (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1902458
Title:
pyasn1 error during certificate renewal
Status in freeipa package in Ubuntu:
Incomplete
Bug description:
moving from
https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774
ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2
python-pyasn1: 0.4.2-3
python-pyasn1-modules: 0.2.1-0.2
Certmonger failed to renew certs on time and they expired. Rolled back
the date as per various online suggestions but continually receive the
same "903 (RPC failed at server. an internal error has occurred)".
Apache error log shows a pyasn1 error (getcert list and apache log
excerpt below).
Certs are being generated and appear in the GUI under Authentication >
Certificates. 2 new certificates are created each time certmonger
tries. for krbtgt/[email protected] and
ldap/[email protected]. Notably, trying to view the
generated certificates in the gui generates the same 903 / pyasn1
error.
Apache:
-----
[Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at
0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at
0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding
iso-8859-1>
[Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] Traceback (most recent call last):
[Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py",
line 367, in wsgi_execute
[Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] result = command(*args, **options)
[Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py",
line 450, in __call__
[Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] return self.__do_call(*args, **options)
[Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py",
line 478, in __do_call
[Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] ret = self.run(*args, **options)
[Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py",
line 800, in run
[Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] return self.execute(*args, **options)
[Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File
"/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in
execute
[Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] self.obj._parse(result, all)
[Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File
"/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in
_parse
[Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] cert.san_general_names)
[Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line
318, in san_general_names
[Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names()
[Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line
350, in __pyasn1_get_san_general_names
[Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0]
[Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] File
"/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in
__call__
[Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
[Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not
in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object
at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
[Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote
10.1.5.4:58624] ipa: INFO: [xmlserver] host/[email protected]:
cert_request(u'MIIDozCCAosCAQAwNDEVMBMGA1UECgwMU0lNUExZV1MuQ09NMRswGQYDVQQDExJpcGEwMS5zaW1wbHl3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaVNd4cdKXfUZk1lwc++sU64iYNoLn7kuN2JWYrt0smsAJrAbKBDIwsnTwmlM16xg/ioibnweTU3+0tYvTftQh3gZMy46hCzdOgyUsjsFvmJS2QklyBM2SPspaIuXJojR87D+AmfsFKAC9EO4+ZjnTRoa32UvjTNCGJwFLn7TAM26iSrWagWza717tTJHwX2Js90hR1RxEdU1TFo/3Thj3r1oBeLJYxoyh7IQeMrKYahmVAAch2KnkAgkDAzb4XNKMxOqoF1tV+pPzk9m1iGRud8lf4QmjIrAxdHM7igXTSAL6ALrD/5w+gw+RNjJmeEb2JyUAd+VJv7s/q1ZKSpQdAgMBAAGgggEoMCsGCSqGSIb3DQEJFDEeHhwAMgAwADEAOAAxADAAMgAxADAAOAAzADcAMgA0MIH4BgkqhkiG9w0BCQ4xgeowgecwfwYDVR0RAQEABHUwc6AwBgorBgEEAYI3FAIDoCIMIGtyYnRndC9TSU1QTFlXUy5DT01AU0lNUExZV1MuQ09NoD8GBisGAQUCAqA1MDOgDhsMU0lNUExZV1MuQ09NoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxTSU1QTFlXUy5DT00wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUwwx6Pted7FRZ4JUOLne9svpuVCwwNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQ
AQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAH6kQREhM1h+Plpzqcn80+UO/HtExe+JQiXewyIc4CEBSvZFb7nC7bF0aAGgzV4lJQyInbBNCRJHz7J2BUctrMimdnZsL56iz3e/HHOpcAMagmlco5rpxVnvBbSSzrYrH5NQa+8FdbjLT50LP3g3MEjegIdjDG/n9+Mh6vlEhi6dAzLeRk60pqW8m4FdWYd9mjDmEm3uaC/v1sUwjKNq8XdGuu+ZICw3nTPA3/1vDAE5CB0m5g6lN1jGth8f/eLHm9DEAVUOw5b+1xYoGCwkmG8/l2Z2MgIwIxQrcKggzZV/gzOeETzF62tSjABCDZV1rIWUNdNSAfSlgpbO1krylw0=',
profile_id=u'KDCs_PKINIT_Certs',
principal=u'krbtgt/[email protected]', add=True, version=u'2.51'):
InternalError
-----
getcert list:
-----
Number of certificates and requests being tracked: 9.
Request ID '20181021083324':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=IPA RA,O=MYREALM.COM
expires: 2022-09-02 02:33:38 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20181021083404':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=localhost
expires: 2022-09-05 12:15:19 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083405':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=localhost
expires: 2020-10-13 12:14:21 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083406':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=localhost
expires: 2020-10-13 12:15:01 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083407':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=localhost
expires: 2020-10-10 02:34:28 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083408':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=localhost
expires: 2020-10-13 12:14:29 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083613':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will
retry: 903 (RPC failed at server. an internal error has occurred).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=ipa01.mydomain.com,O=MYREALM.COM
expires: 2020-10-21 02:36:13 MDT
dns: ipa01.mydomain.com
principal name: ldap/[email protected]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv MYREALM-COM
track: yes
auto-renew: yes
Request ID '20181021083714':
status: NEED_CSR_GEN_PIN
stuck: yes
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=ipa01.mydomain.com,O=MYREALM.COM
expires: 2020-10-21 02:37:17 MDT
dns: ipa01.mydomain.com
principal name: HTTP/[email protected]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20181021083724':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will
retry: 903 (RPC failed at server. an internal error has occurred).
stuck: no
key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM.COM
subject: CN=ipa01.mydomain.com,O=MYREALM.COM
expires: 2020-10-21 02:37:25 MDT
principal name: krbtgt/[email protected]
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1902458/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : [email protected]
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
