Installation with external CSR fails, because generate_csr / create_request methods pass str instead of bytes to subprocess. See https://fedorapeople.org/groups/freeipa/prci/jobs/11243180-4c42-11e8-87d9-fa163e63acdb/test_external_ca.py-TestExternalCA--test_external_ca/master.ipa.test/var/log/
generate_csr
create_request
str
bytes
018-04-30 06:49:09 pki.nssdb : DEBUG Command: certutil -R -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpehzy51ho/password.txt -s CN=Certificate Authority,O=IPA.TEST -o /tmp/tmpehzy51ho/request.bin -z /tmp/tmpehzy51ho/noise.bin -k rsa -g 2048 -Z SHA256 --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical -2 2018-04-30 06:49:09 pkispawn : DEBUG ....... Error Type: TypeError 2018-04-30 06:49:09 pkispawn : DEBUG ....... Error Message: memoryview: a bytes-like object is required, not 'str' 2018-04-30 06:49:09 pkispawn : DEBUG ....... File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 952, in spawn self.generate_system_cert_requests(deployer, nssdb, subsystem) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 353, in generate_system_cert_requests self.generate_ca_signing_csr(deployer, nssdb, subsystem) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 177, in generate_ca_signing_csr generic_exts=generic_exts File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 124, in generate_csr generic_exts=generic_exts) File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 558, in create_request p.communicate(keystroke) File "/usr/lib64/python3.6/subprocess.py", line 843, in communicate stdout, stderr = self._communicate(input, endtime, timeout) File "/usr/lib64/python3.6/subprocess.py", line 1499, in _communicate input_view = memoryview(self._input)
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Metadata Update from @cheimes: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
https://review.gerrithub.io/#/c/dogtagpki/pki/+/409461
Metadata Update from @cheimes: - Issue priority set to: blocker - Issue set to the milestone: 10.6
Metadata Update from @cheimes: - Issue assigned to cheimes
Fixed in commit f9a48a40491726c6c83bc5e1f624aa550c2a5b8d to master
It looks like the CA signing cert got imported into CS.cfg as binary string:
$ grep ca.signing.cert= /etc/pki/pki-tomcat/ca/CS.cfg ca.signing.cert=b'<base-64 encoded cert>'
The ca.signing.cert parameter is set in this code: https://github.com/dogtagpki/pki/blob/d3af85674f76eb2ece82ffb8eacc9a042264e72c/base/server/python/pki/server/deployment/scriptlets/configuration.py#L567
We probably should make sure that NSSDatabase.get_cert() returns a normal string instead of binary string for PEM, base-64, pretty-print formats: https://github.com/dogtagpki/pki/blob/d3af85674f76eb2ece82ffb8eacc9a042264e72c/base/common/python/pki/nssdb.py#L897
Note: in the future we might want to support DER format for get_cert(), which in that case the output should be binary string.
Good catch, Endi!
I tried to change the return type first, but I ran into multiple errors in e.g. cert validation. It seems like other places in our code base depend on bytes. Also PyCA cryptography and IPA always treat certs as bytes, even PEM/base64 encoded certs.
I created https://review.gerrithub.io/c/dogtagpki/pki/+/409645 . The PR converts the cert to ASCII text for serialization to JSON or disk. The config writer for CS.cfg now catches unsupported value types like bytes.
With the patch, FreeIPA's external CA feature works.
https://review.gerrithub.io/c/dogtagpki/pki/+/409645 has landed, too.
@ftweedal thanks for the review!
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue set to the milestone: 10.6.1 (was: 10.6)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3123
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.