#4064 Automatic CA subsystem certificate renewal is broken on CA clones
Closed: Fixed None Opened 5 years ago by jcholast.

On CA clones, certmonger uses the dogtag-ipa-retrieve-agent-submit CA helper script to retrieve renewed CA subsystem certificates from master CA. Certmonger expects the script to write the certificate in PEM format to its standard output. The script does that, but prepends an extra "\033[?1034h" to the output, causing certmonger to fail to parse the certificate.

The erroneous output is caused by a bug in readline: http://lists.gnu.org/archive/html/bug-readline/2013-06/msg00000.html, https://bugzilla.redhat.com/show_bug.cgi?id=880393. The Python readline module is not imported in dogtag-ipa-retrieve-agent-submit itself, but in some module it imports.

The workaround is to set the TERM environment variable to some terminal type which does not support the meta-key capability (such as vt100) before importing modules in dogtag-ipa-retrieve-agent-submit.

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.x - 2013/12 (bug fixing)

2 years ago

Login to comment on this ticket.