On CA clones, certmonger uses the dogtag-ipa-retrieve-agent-submit CA helper script to retrieve renewed CA subsystem certificates from master CA. Certmonger expects the script to write the certificate in PEM format to its standard output. The script does that, but prepends an extra "\033[?1034h" to the output, causing certmonger to fail to parse the certificate.
The erroneous output is caused by a bug in readline: http://lists.gnu.org/archive/html/bug-readline/2013-06/msg00000.html, https://bugzilla.redhat.com/show_bug.cgi?id=880393. The Python readline module is not imported in dogtag-ipa-retrieve-agent-submit itself, but in some module it imports.
The workaround is to set the TERM environment variable to some terminal type which does not support the meta-key capability (such as vt100) before importing modules in dogtag-ipa-retrieve-agent-submit.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1040009
Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.x - 2013/12 (bug fixing)
to comment on this ticket.