I did finally track down the problem. in the most recent version of x509.py, in the definition of '__pyasn1_gen_san_general_names' (about line 350)
there is a comment: # pyasn1 <= 0.3.7 needs explicit unwrap of ANY container # see https://pagure.io/freeipa/issue/7685 Apparently > 0.3.7 needs to *not* be unwrapped (I don't know what that means) but in my version of x509.py changing line 349: der = decoder.decode(ext['extnValue'], asn1Spec=univ.OctetString())[0] > der = ext['extnValue'] fixed the problem. In case someone else comes across this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1902458 Title: pyasn1 error during certificate renewal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1902458/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs