[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Rob Crittenden via FreeIPA-users Tue, 02 Apr 2024 15:28:08 -0700

I can reproduce the issue with your CSR but I don't know yet what
python-cryptography doesn't like about it.


Older versions of python-cryptography yield different errors but the
issue is still elusive. I'm looking at the ASN1 encoding.

What version of certmonger is installed on the machine that made the
request?

rob

Djerk Geurts via FreeIPA-users wrote:
> Hi Rob,
> 
> 
> I can’t see any difference between this CSR and others that worked
> before. Could it be an issue with an updated version of ipa-client or
> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and
> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu
> 22.04 have v3.0.2.
> 
> The certificate ws requested with: sudo ipa-getcert request -N
> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f
> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} |
> awk 'NF>1{print $NF}’)
> 
> Which has worked fine for us for over two years.
> 
> Thanks,
> Djerk Geurts
> 
>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcrit...@redhat.com> wrote:
>>
>> Djerk Geurts via FreeIPA-users wrote:
>>> Hi,
>>>
>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the
>>> first time I’m getting round to requesting a new certificate, and it’s
>>> failing from a server we use to manage several certificates for non-IPA
>>> client hosts.
>>>
>>> Output of ipa-getcert list:
>>>
>>> Request ID '20240402190326':
>>>         status: CA_UNREACHABLE
>>>         ca-error: Server at https://ipa.domain.com/ipa/xml failed
>>> request, will retry: 903 (RPC failed at server.  an internal error has
>>> occurred).
>>>         stuck: no
>>>         key pair storage:
>>> type=FILE,location='/etc/ssl/private/host.domain.com.key'
>>>         certificate:
>>> type=FILE,location='/etc/ssl/certs/host.domain.com.crt'
>>>         CA: IPA
>>>         issuer:
>>>         subject:
>>>         expires: unknown
>>>         pre-save command:
>>>         post-save command:
>>>         track: yes
>>>         auto-renew: yes
>>>
>>> The httpd log on the IPA server:
>>>
>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only
>>> single-valued attributes are supported
>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] Traceback (most recent call last):
>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]   File
>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in
>>> wsgi_execute
>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]     result = command(*args, **options)
>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]   File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in
>>> __call__
>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]     return self.__do_call(*args, **options)
>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]   File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in
>>> __do_call
>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]     ret = self.run(*args, **options)
>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]   File
>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]     return self.execute(*args, **options)
>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]   File
>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716,
>>> in execute
>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]     ext_san =
>>> csr.extensions.get_extension_for_oid(
>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078]               ^^^^^^^^^^^^^^
>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are
>>> supported
>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957]
>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver]
>>> host/jump.domain....@domain.com: cert_request(‘MIID**********d1A==',
>>> principal='HTTP/host.domain....@domain.com', add=True, version='2.51'):
>>> InternalError
>>>
>>> The requesting machine is allowed to manage both the host and the
>>> service. Requesting the certificate on the IPA server itself works fine.
>>> I’ve read elsewhere that this could be an incompatibility between the
>>> client and the server.
>>>
>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6
>>> Server: Fedora 39, ipa-server: v4.11.1
>>
>> Can we see the whole CSR? You should be able to find it in the
>> certmonger request file in /var/lib/certmonger/requests/<some value>
>> Sometimes the value matches the Request ID but not always.
>>
>> It is the parsing of the CSR where it blew up, getting multiple values
>> where only one was expected.
>>
>> rob
> 
> 
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Reply via email to