[Freeipa-users] CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Djerk Geurts via FreeIPA-users Tue, 02 Apr 2024 12:21:34 -0700

Hi,

A month or so ago we upgraded from Fedora 37 to 39. I guess this is the first 
time I’m getting round to requesting a new certificate, and it’s failing from a 
server we use to manage several certificates for non-IPA client hosts.


Output of ipa-getcert list:

Request ID '20240402190326':
        status: CA_UNREACHABLE
        ca-error: Server at https://ipa.domain.com/ipa/xml failed request, will 
retry: 903 (RPC failed at server.  an internal error has occurred).
        stuck: no
        key pair storage: 
type=FILE,location='/etc/ssl/private/host.domain.com.key'
        certificate: type=FILE,location='/etc/ssl/certs/host.domain.com.crt'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

The httpd log on the IPA server:

[Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only single-valued 
attributes are supported
[Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078] Traceback (most recent call last):
[Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]   File 
"/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in 
wsgi_execute
[Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]     result = command(*args, **options)
[Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", 
line 471, in __call__
[Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]     return self.__do_call(*args, **options)
[Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", 
line 499, in __do_call
[Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]     ret = self.run(*args, **options)
[Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", 
line 816, in run
[Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]     return self.execute(*args, **options)
[Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]   File 
"/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, in 
execute
[Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]     ext_san = csr.extensions.get_extension_for_oid(
[Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078]               ^^^^^^^^^^^^^^
[Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078] ValueError: Only single-valued attributes are supported
[Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] [remote 
10.2.0.92:50078] ipa: INFO: [xmlserver] host/jump.domain....@domain.com: 
cert_request(‘MIID**********d1A==', 
principal='HTTP/host.domain....@domain.com', add=True, version='2.51'): 
InternalError

The requesting machine is allowed to manage both the host and the service. 
Requesting the certificate on the IPA server itself works fine. I’ve read 
elsewhere that this could be an incompatibility between the client and the 
server.

Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
Server: Fedora 39, ipa-server: v4.11.1

Thanks,
Djerk Geurts

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Reply via email to