Learn more about these different git repos.
Other Git URLs
When dogtag-ipa-renew-agent-submit is called to receive a certificate, it returns this certificate as such:
-----BEGIN CERTIFICATE----- <BASE64-cert> <newline> -----END CERTIFICATE-----
While the extra newline does not make the certificate representation invalid, it's highly discouraged by the RFC for the PEM producers to include it in there.
Also, OpenSSL fails to read a PEM certificate which is formatted as such.
This is blocking FreeIPA Python 3 adoption, please add appropriate priority.
I was under the impression you volunteered to look at it which is why I haven't touched it.
I did not yet have time to do it, sorry. I would just like to raise the priority of the issue should I not be able to work on it.
Can you provide more details on reproducing this or what workaround(s) you've put into IPA?
The workaround is to be found in the freeipa/install/certmonger/dogtag-ipa-ca-renew-agent-submit file in the fix_pem() function to be found at https://github.com/freeipa/freeipa/blob/79955189217fec328f2d561a4a1a23ddb29eac44/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L71
freeipa/install/certmonger/dogtag-ipa-ca-renew-agent-submit
fix_pem()
To reproduce the issue, simply add a line to the above mentioned script which would extract the retrieved certificate from dogtag-ipa-renew-agent-submit somewhere where you can reach it. A good example to add the line to would be the request_cert() function in the dogtag-ipa-ca-renew-agent-submit script. After that, resubmit the request for the IPA RA certificate using getcert request -i <REQ_NUM> and see what you got.
dogtag-ipa-renew-agent-submit
request_cert()
dogtag-ipa-ca-renew-agent-submit
IPA RA
getcert request -i <REQ_NUM>
You can also try to perform openssl x509 -in <yourfile> -text to see the failure or try to use python-cryptography x509.load_pem_x509_certificate() function which should use the same methods the openssl tool uses.
openssl x509 -in <yourfile> -text
x509.load_pem_x509_certificate()
openssl
@stlaz I'm still working on where this extra nl is getting inserted but in the meantime you can use os.environ.get('CERTMONGER_CERTIFICATE') to get a valid copy rather than using stdout.
FWIW it looks like dogtag is returning the extra newline:
<base64Cert>-----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIBETANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtHUkVZ T0FLLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE3MDgx NTIwNDMzM1oXDTE5MDgwNTIwNDMzM1owJzEUMBIGA1UECgwLR1JFWU9BSy5DT00x DzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANfaA933CKi6eW1kgG5/daxoT4wFylxVNTFS25/+Khr3wbOEI2jVXfeiDV3VKvKb HCfRBmtguWvOuuNNvZgqbPpPsL6QWcWv6luYvQX9YpYB+RSwpPr/hEH/p5/vCE9/ hWGUmhUBgnfN02P8rZfpPx/BC9slhVdjgj0h9Sp6j9kYyI0WwbqDhXttQYcqDkZX oqqJEUIb+8f3aSbk3Q+pwegq/dK9Y17LvVHDCqlwi5aA+5rGr6WjVGj4z1rr3Azc Faqj3q/Ynk9LsmvjlliP3ayjT36opueLpmT+SPy00KlPtrg4Uym4Oq+68+RFqCPX giX6BYSkv50uWJ0ru9MVG3sCAwEAAaOBkjCBjzAfBgNVHSMEGDAWgBRbQQ+ihvBx xFZ4Lymjc0ZTN4EFRDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6 Ly9pcGEtY2EuZ3JleW9hay5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBX b9yZ7wye2MbtSMleTM9R9ek0oiPetVsl5KvIgDvfgAAlppoJzrniJXMABk8R2e4b gnKcq3K90sBDtmakQ5mA2f7XGXcXFcjOBBdDhMDFVOs4Or09bZPBbKfXgM8kcpFp pv8pugvtI3kkoZNcyP4QnrY9pKlzxIm39QDnqKf2WETFNivXvxddH0IO5+ZZEOgK nFNBVItd3kNDfJAqDA6guxF75ZIWNvdUfT8vqADR+qvlFPX4jzI8w1yg15VBwVj8 I6BmO5IInBMwYcz3xY34WBv7oP1OPfnBT8R8R8KbyIPf0hpgCpt47mLxqtQwh8W/ l9hkZB4rs8z4I7+PnvQI -----END CERTIFICATE-----</base64Cert>
Filed https://pagure.io/dogtagpki/issue/2790
@rcritten Thank you so much for discovering this, I was afraid it would be a dogtag issue.
Nalin provided a patch that fixes this in certmonger. We can remove it once dogtag corrects their own output.
master: 5d12514
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Reopening; looks like some lines in tests/019-dparse/run.sh were missed; the test cases that were added are not being run therefore the tests are failing.
tests/019-dparse/run.sh
Uh, I don't have ticket edit permission for certmonger in pagure, but yeah this should be reopened to fix the failing tests (or just fix the failing tests ^_^)
Cheers!
It was actually a file missing from dist (tests passed in-tree but failed during RPM build).
Patch attached. <img alt="certmonger-ftweedal-0000-Add-missing-test-input-to-dist.patch" src="/certmonger/issue/raw/files/94cbc18d9d27a857be0dc6cb085b28937f5ca0e92df97d805d6ec5c1c75af3ab-certmonger-ftweedal-0000-Add-missing-test-input-to-dist.patch" />
PR: https://pagure.io/certmonger/pull-request/79
Good catch, merged.
Metadata Update from @rcritten: - Issue close_status updated to: None (was: fixed)
Login to comment on this ticket.