A regression was introduced in CSR generation for external CA installation, when custom CSR extension is specified (e.g. by IPA, adding MS AD-CS template extension).
Log output:
2017-09-29 11:29:33 pkispawn : INFO ....... generating ca_signing CSR in /root/ipa.csr 2017-09-29 11:29:33 pkispawn : DEBUG ....... Error Type: TypeError 2017-09-29 11:29:33 pkispawn : DEBUG ....... Error Message: list indices must be integers, not dict 2017-09-29 11:29:33 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 533, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 928, in spawn self.generate_system_cert_requests(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 338, in generate_system_cert_requests self.generate_ca_signing_csr(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 162, in generate_ca_signing_csr basic_constraints_ext, key_usage_ext, generic_exts File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr generic_exts=generic_exts) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 299, in create_request if extended_key_usage_ext[usage]:
The cause seems to be the addition of the extended_key_usage_ext parameter to generate_csr without a corresponding update to the call site in generate_ca_signing_csr. This call uses positional parameters and the custom extension list is passed at the position of the new extended_key_usage_ext parameter.
extended_key_usage_ext
generate_csr
generate_ca_signing_csr
The extended_key_usage_ext parameter was added in commit df1e9230a4ce5e58135a2973e76a3f95113b22a3, but note that it was not used until commit f183ccafa88d2c18aabf0bda0ae6208f9ac98868 which is where the code that actually breaks installation was added.
Gerrit review: https://review.gerrithub.io/#/c/380746/
Metadata Update from @ftweedal: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @ftweedal: - Issue assigned to ftweedal
Metadata Update from @edewata: - Issue priority set to: blocker - Issue set to the milestone: 10.5
Fixed in master (7531bd67c2e629935d6d0de8cfab052868e7edc4)
Metadata Update from @ftweedal: - Issue priority set to: None (was: blocker) - Issue set to the milestone: None (was: 10.5)
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @vakwetu: - Issue priority set to: critical - Issue set to the milestone: 10.5
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: 10.5)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2945
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.