[Freeipa] [Bug 1902458] Re: pyasn1 error during certificate renewal
oh, this is an old bug.. mind testing on noble/24.04 when possible? :) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1902458 Title: pyasn1 error during certificate renewal Status in freeipa package in Ubuntu: Incomplete Bug description: moving from https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774 ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2 python-pyasn1: 0.4.2-3 python-pyasn1-modules: 0.2.1-0.2 Certmonger failed to renew certs on time and they expired. Rolled back the date as per various online suggestions but continually receive the same "903 (RPC failed at server. an internal error has occurred)". Apache error log shows a pyasn1 error (getcert list and apache log excerpt below). Certs are being generated and appear in the GUI under Authentication > Certificates. 2 new certificates are created each time certmonger tries. for krbtgt/myrealm@myrealm.com and ldap/ipa01.mydomain@myrealm.com. Notably, trying to view the generated certificates in the gui generates the same 903 / pyasn1 error. Apache: - [Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last): [Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options) [Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__ [Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__do_call(*args, **options) [Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call [Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options) [Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run [Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options) [Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute [Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj._parse(result, all) [Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse [Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_general_names) [Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names [Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names() [Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names [Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0] [Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ [Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec) [Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] host/ipa01.mydomain@myrealm.com:
[Freeipa] [Bug 1902458] Re: pyasn1 error during certificate renewal
Please send your findings upstream. They say that this was tested with 0.3.7 and 0.4.4, so it's a bit surprising if it breaks here. ** Changed in: freeipa (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1902458 Title: pyasn1 error during certificate renewal Status in freeipa package in Ubuntu: Incomplete Bug description: moving from https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774 ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2 python-pyasn1: 0.4.2-3 python-pyasn1-modules: 0.2.1-0.2 Certmonger failed to renew certs on time and they expired. Rolled back the date as per various online suggestions but continually receive the same "903 (RPC failed at server. an internal error has occurred)". Apache error log shows a pyasn1 error (getcert list and apache log excerpt below). Certs are being generated and appear in the GUI under Authentication > Certificates. 2 new certificates are created each time certmonger tries. for krbtgt/myrealm@myrealm.com and ldap/ipa01.mydomain@myrealm.com. Notably, trying to view the generated certificates in the gui generates the same 903 / pyasn1 error. Apache: - [Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last): [Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options) [Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__ [Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__do_call(*args, **options) [Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call [Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options) [Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run [Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options) [Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute [Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj._parse(result, all) [Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse [Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_general_names) [Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names [Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names() [Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names [Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0] [Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ [Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec) [Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] host/ipa01.mydomain@myrealm.com:
[Freeipa] [Bug 1902458] Re: pyasn1 error during certificate renewal
I did finally track down the problem. in the most recent version of x509.py, in the definition of '__pyasn1_gen_san_general_names' (about line 350) there is a comment: # pyasn1 <= 0.3.7 needs explicit unwrap of ANY container # see https://pagure.io/freeipa/issue/7685 Apparently > 0.3.7 needs to *not* be unwrapped (I don't know what that means) but in my version of x509.py changing line 349: der = decoder.decode(ext['extnValue'], asn1Spec=univ.OctetString())[0] > der = ext['extnValue'] fixed the problem. In case someone else comes across this. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1902458 Title: pyasn1 error during certificate renewal Status in freeipa package in Ubuntu: New Bug description: moving from https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774 ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2 python-pyasn1: 0.4.2-3 python-pyasn1-modules: 0.2.1-0.2 Certmonger failed to renew certs on time and they expired. Rolled back the date as per various online suggestions but continually receive the same "903 (RPC failed at server. an internal error has occurred)". Apache error log shows a pyasn1 error (getcert list and apache log excerpt below). Certs are being generated and appear in the GUI under Authentication > Certificates. 2 new certificates are created each time certmonger tries. for krbtgt/myrealm@myrealm.com and ldap/ipa01.mydomain@myrealm.com. Notably, trying to view the generated certificates in the gui generates the same 903 / pyasn1 error. Apache: - [Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last): [Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options) [Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__ [Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__do_call(*args, **options) [Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call [Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options) [Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run [Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options) [Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute [Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj._parse(result, all) [Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse [Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_general_names) [Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names [Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names() [Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names [Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0] [Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ [Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec) [Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: not in asn1Spec: encoding iso-8859-1> [Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] host/ipa01.mydomain@myrealm.com: