This is blocking FreeIPA Python 3 adoption, please add appropriate priority.

I was under the impression you volunteered to look at it which is why I haven't touched it.

I did not yet have time to do it, sorry. I would just like to raise the priority of the issue should I not be able to work on it.

Can you provide more details on reproducing this or what workaround(s) you've put into IPA?

The workaround is to be found in the freeipa/install/certmonger/dogtag-ipa-ca-renew-agent-submit file in the fix_pem() function to be found at https://github.com/freeipa/freeipa/blob/79955189217fec328f2d561a4a1a23ddb29eac44/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L71

To reproduce the issue, simply add a line to the above mentioned script which would extract the retrieved certificate from dogtag-ipa-renew-agent-submit somewhere where you can reach it. A good example to add the line to would be the request_cert() function in the dogtag-ipa-ca-renew-agent-submit script. After that, resubmit the request for the IPA RA certificate using getcert request -i <REQ_NUM> and see what you got.

You can also try to perform openssl x509 -in <yourfile> -text to see the failure or try to use python-cryptography x509.load_pem_x509_certificate() function which should use the same methods the openssl tool uses.

@stlaz I'm still working on where this extra nl is getting inserted but in the meantime you can use os.environ.get('CERTMONGER_CERTIFICATE') to get a valid copy rather than using stdout.

FWIW it looks like dogtag is returning the extra newline:

<base64Cert>-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIBETANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtHUkVZ&#13;
T0FLLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE3MDgx&#13;
NTIwNDMzM1oXDTE5MDgwNTIwNDMzM1owJzEUMBIGA1UECgwLR1JFWU9BSy5DT00x&#13;
DzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB&#13;
ANfaA933CKi6eW1kgG5/daxoT4wFylxVNTFS25/+Khr3wbOEI2jVXfeiDV3VKvKb&#13;
HCfRBmtguWvOuuNNvZgqbPpPsL6QWcWv6luYvQX9YpYB+RSwpPr/hEH/p5/vCE9/&#13;
hWGUmhUBgnfN02P8rZfpPx/BC9slhVdjgj0h9Sp6j9kYyI0WwbqDhXttQYcqDkZX&#13;
oqqJEUIb+8f3aSbk3Q+pwegq/dK9Y17LvVHDCqlwi5aA+5rGr6WjVGj4z1rr3Azc&#13;
Faqj3q/Ynk9LsmvjlliP3ayjT36opueLpmT+SPy00KlPtrg4Uym4Oq+68+RFqCPX&#13;
giX6BYSkv50uWJ0ru9MVG3sCAwEAAaOBkjCBjzAfBgNVHSMEGDAWgBRbQQ+ihvBx&#13;
xFZ4Lymjc0ZTN4EFRDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6&#13;
Ly9pcGEtY2EuZ3JleW9hay5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD&#13;
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBX&#13;
b9yZ7wye2MbtSMleTM9R9ek0oiPetVsl5KvIgDvfgAAlppoJzrniJXMABk8R2e4b&#13;
gnKcq3K90sBDtmakQ5mA2f7XGXcXFcjOBBdDhMDFVOs4Or09bZPBbKfXgM8kcpFp&#13;
pv8pugvtI3kkoZNcyP4QnrY9pKlzxIm39QDnqKf2WETFNivXvxddH0IO5+ZZEOgK&#13;
nFNBVItd3kNDfJAqDA6guxF75ZIWNvdUfT8vqADR+qvlFPX4jzI8w1yg15VBwVj8&#13;
I6BmO5IInBMwYcz3xY34WBv7oP1OPfnBT8R8R8KbyIPf0hpgCpt47mLxqtQwh8W/&#13;
l9hkZB4rs8z4I7+PnvQI&#13;

-----END CERTIFICATE-----</base64Cert>

Filed https://pagure.io/dogtagpki/issue/2790

@rcritten Thank you so much for discovering this, I was afraid it would be a dogtag issue.

Nalin provided a patch that fixes this in certmonger. We can remove it once dogtag corrects their own output.

master: 5d12514

Reopening; looks like some lines in tests/019-dparse/run.sh were
missed; the test cases that were added are not being run therefore
the tests are failing.

Uh, I don't have ticket edit permission for certmonger in pagure,
but yeah this should be reopened to fix the failing tests (or just
fix the failing tests ^_^)

Cheers!

It was actually a file missing from dist (tests passed in-tree but
failed during RPM build).

Patch attached.

PR: https://pagure.io/certmonger/pull-request/79

Good catch, merged.