The api fails with
Traceback (most recent call last): File "./t", line 61, in <module> rec = api.Command['cert_request'](principal=principal, csr=csr) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 440, in __call__ self.validate(**params) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 720, in validate param.validate(value, self.env.context, supplied=param.name in kw) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 837, in validate self._validate_scalar(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 849, in _validate_scalar error = rule(ugettext, value) File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 157, in validate_csr raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % e) ipalib.errors.CertificateOperationError: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.
The code used is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
#!/usr/bin/env python import os from ipapython import ipautil from ipalib import api, pkcs10 from OpenSSL import crypto user = 'user' password = 'password' service = 'TEST' # # # node = os.uname()[1] principal = unicode('{0}/{1}'.format(service, node)) # Kerberos Initialisation ipautil.kinit_password(user, password, 'KEYRING:persistent:{0}:{1}'.format(os.getuid(),os.getgid())) # API Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.rpcclient.connect() try: rec = api.Command['service_show'](principal) except errors.NotFound: rec = api.Command['service_add'](principal, subject=unicode(node)) if 'usercertificate' in rec['result']: print rec['result']['usercertificate'] else: # Create Private key key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) pkey=unicode(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) print pkey # Create request req = crypto.X509Req() req.get_subject().CN = node req.get_subject().countryName = 'NL' req.get_subject().stateOrProvinceName = 'Province' req.get_subject().localityName = 'Locality' req.get_subject().organizationName = 'Organization' req.get_subject().organizationalUnitName = 'Unit' x509_extensions = ([ crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"), crypto.X509Extension("basicConstraints", False, "CA:FALSE"), ]) x509_extensions.append(crypto.X509Extension("subjectAltName", False, ', '.join([ 'DNS: {0}'.format(node) ]))) req.add_extensions(x509_extensions) req.set_pubkey(key) req.sign(key, "sha512") csr = unicode(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) print csr # Request rec = api.Command['cert_request'](principal=principal, csr=csr) rec = api.Command['service_show'](u'TEST/repo2.zm1.odcnoord.nl') certificates = rec['result']['usercertificate'] for certificate in certificates: #cert = crypto.dump_certificate(crypto.FILETYPE_PEM, certificate) cert = crypto.dump_certificate(crypto.FILETYPE_PEM, crypto.load_certificate(crypto.FILETYPE_ASN1, certificate)) print cert
For some reason the OpenSSL library doesn't create the format IPA can read...
It seems IPA only accepts the publickey while with OpenSSL.crypto i send a keypair. The documented function OpenSSL.crypto.dump_publickey doesn exist on my Centos 7.3 system so there is no way to get this to work....
Metadata Update from @lvg01: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
That traceback does not look like v4.4. What is the precise server version and platform?
Excuse me, the traceback posted earlier was from an erlier test with ipa 4.2. Here is the correct traceback:
Traceback (most recent call last): File "./test", line 105, in <module> rec = api.Command['cert_request'](principal=principal, csr=csr) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 823, in forward *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward return self._call_command(command, params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in _call_command return command(*params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1111, in __request raise error_class(**kw) ipalib.errors.CertificateOperationError: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.
Current versions are:
$ uname -a Linux repo2.zm1.odcnoord.nl 3.10.0-327.36.2.el7.x86_64 #1 SMP Mon Oct 10 23:08:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux $ ipa --version VERSION: 4.4.0, API_VERSION: 2.213
Metadata Update from @lvg01: - Issue close_status updated to: None
@lvg01 that is the client traceback. Do you have the server traceback for v4.4? Or if not please provide the precise server version and platform.
I don't have the traceback on the server,
ipa-server-4.4.0-14.el7.centos.4.x86_64 kernel-3.10.0-514.6.1.el7.x86_64
Complete list:
Loaded plugins: fastestmirror Transaction ID : 13 Begin time : Mon Feb 6 14:53:06 2017 Begin rpmdb : 473:eeaa197ecd0bc22b1b491c881b6b44ea4d6cc605 End time : 14:55:44 2017 (158 seconds) End rpmdb : 580:8896ce9302d384f259067bb3508a6f44714026f7 User : root <root> Return-Code : Success Command Line : install ipa-server Transaction performed with: Installed rpm-4.11.3-21.el7.x86_64 @base Installed yum-3.4.3-150.el7.centos.noarch @base Installed yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base Packages Altered: Dep-Install 389-ds-base-1.3.5.10-15.el7_3.x86_64 @updates Dep-Install alsa-lib-1.1.1-1.el7.x86_64 @base Dep-Install antlr-tool-2.7.7-30.el7.noarch @base Dep-Install apache-commons-cli-1.2-13.el7.noarch @base Dep-Install apache-commons-codec-1.8-7.el7.noarch @base Dep-Install apache-commons-collections-3.2.1-22.el7_2.noarch @base Dep-Install apache-commons-daemon-1.0.13-6.el7.x86_64 @base Dep-Install apache-commons-dbcp-1.4-17.el7.noarch @base Dep-Install apache-commons-io-1:2.4-12.el7.noarch @base Dep-Install apache-commons-lang-2.6-15.el7.noarch @base Dep-Install apache-commons-logging-1.1.2-7.el7.noarch @base Dep-Install apache-commons-pool-1.6-9.el7.noarch @base Dep-Install args4j-2.0.16-13.el7.noarch @base Dep-Install avahi-libs-0.6.31-17.el7.x86_64 @base Dep-Install avalon-framework-4.3-10.el7.noarch @base Dep-Install avalon-logkit-2.1-14.el7.noarch @base Dep-Install bcel-5.2-18.el7.noarch @base Dep-Install codemodel-2.6-9.el7.noarch @base Dep-Install cups-libs-1:1.6.3-26.el7.x86_64 @base Dep-Install custodia-0.1.0-4.el7.noarch @base Dep-Install dbus-glib-0.100-7.el7.x86_64 @base Dep-Install dbus-python-1.1.1-9.el7.x86_64 @base Dep-Install dom4j-1.6.1-20.el7.noarch @base Dep-Install easymock2-2.5.2-12.el7.noarch @base Dep-Install geronimo-jms-1.1.1-19.el7.noarch @base Dep-Install geronimo-jta-1.1.1-17.el7.noarch @base Dep-Install glassfish-dtd-parser-1.2-0.8.20120120svn.el7.noarch @base Dep-Install glassfish-fastinfoset-1.2.12-9.el7.noarch @base Dep-Install glassfish-jaxb-2.2.5-6.el7.noarch @base Dep-Install glassfish-jaxb-api-2.2.7-4.el7.noarch @base Dep-Install hamcrest-1.3-6.el7.noarch @base Dep-Install hsqldb-1:1.8.1.3-14.el7.noarch @base Dep-Install httpcomponents-client-4.2.5-5.el7_0.noarch @base Dep-Install httpcomponents-core-4.2.4-6.el7.noarch @base Dep-Install ipa-admintools-4.4.0-14.el7.centos.4.noarch @updates Dep-Install ipa-client-4.4.0-14.el7.centos.4.x86_64 @updates Dep-Install ipa-client-common-4.4.0-14.el7.centos.4.noarch @updates Dep-Install ipa-common-4.4.0-14.el7.centos.4.noarch @updates Install ipa-server-4.4.0-14.el7.centos.4.x86_64 @updates Dep-Install ipa-server-common-4.4.0-14.el7.centos.4.noarch @updates Dep-Install isorelax-1:0-0.15.release20050331.el7.noarch @base Dep-Install istack-commons-2.17-4.el7.noarch @base Dep-Install jackson-1.9.4-7.el7.noarch @base Dep-Install jakarta-commons-httpclient-1:3.1-16.el7_0.noarch @base Dep-Install java-1.8.0-openjdk-1:1.8.0.121-0.b13.el7_3.x86_64 @updates Dep-Install javamail-1.4.6-8.el7.noarch @base Dep-Install javassist-3.16.1-10.el7.noarch @base Dep-Install jaxen-1.1.3-11.el7.noarch @base Dep-Install jboss-annotations-1.1-api-1.0.1-0.6.20120212git76e1a2.el7.noarch @base Dep-Install jdom-1.1.3-6.el7.noarch @base Dep-Install jing-20091111-14.el7.noarch @base Dep-Install joda-convert-1.3-5.el7.noarch @base Dep-Install joda-time-2.2-3.tzdata2013c.el7.noarch @base Dep-Install jsr-311-1.1.1-6.el7.noarch @base Dep-Install jss-4.2.6-42.el7.x86_64 @base Dep-Install junit-4.11-8.el7.noarch @base Dep-Install ldapjdk-4.18-16.el7_3.noarch @updates Dep-Install libsmbclient-4.4.4-12.el7_3.x86_64 @updates Dep-Install libwbclient-4.4.4-12.el7_3.x86_64 @updates Dep-Install log4j-1.2.17-15.el7.noarch @base Dep-Install msv-msv-1:2013.5.1-7.el7.noarch @base Dep-Install msv-xsdlib-1:2013.5.1-7.el7.noarch @base Dep-Install objectweb-asm-3.3.1-9.el7.noarch @base Dep-Install pki-base-10.3.3-16.el7_3.noarch @updates Dep-Install pki-base-java-10.3.3-16.el7_3.noarch @updates Dep-Install pki-ca-10.3.3-16.el7_3.noarch @updates Dep-Install pki-kra-10.3.3-16.el7_3.noarch @updates Dep-Install pki-server-10.3.3-16.el7_3.noarch @updates Dep-Install pki-tools-10.3.3-16.el7_3.x86_64 @updates Dep-Install python-custodia-0.1.0-4.el7.noarch @base Dep-Install python-decorator-3.4.0-3.el7.noarch @base Dep-Install python-gssapi-1.2.0-2.el7.x86_64 @base Dep-Install python-jwcrypto-0.2.1-1.el7.noarch @base Dep-Install python-netifaces-0.10.4-3.el7.x86_64 @base Dep-Install python-setuptools-0.9.8-4.el7.noarch @base Dep-Install python2-ipaclient-4.4.0-14.el7.centos.4.noarch @updates Dep-Install python2-ipalib-4.4.0-14.el7.centos.4.noarch @updates Dep-Install python2-ipaserver-4.4.0-14.el7.centos.4.noarch @updates Dep-Install qdox-1.12.1-10.el7.noarch @base Dep-Install regexp-1.5-13.el7.noarch @base Dep-Install resteasy-base-atom-provider-3.0.6-4.el7.noarch @base Dep-Install resteasy-base-client-3.0.6-4.el7.noarch @base Dep-Install resteasy-base-jackson-provider-3.0.6-4.el7.noarch @base Dep-Install resteasy-base-jaxb-provider-3.0.6-4.el7.noarch @base Dep-Install resteasy-base-jaxrs-3.0.6-4.el7.noarch @base Dep-Install resteasy-base-jaxrs-api-3.0.6-4.el7.noarch @base Dep-Install rngom-201103-0.8.20120119svn.el7.noarch @base Dep-Install samba-client-libs-4.4.4-12.el7_3.x86_64 @updates Dep-Install samba-common-4.4.4-12.el7_3.noarch @updates Dep-Install scannotation-1.0.3-0.7.r12.el7.noarch @base Dep-Install slapi-nis-0.56.0-4.el7.x86_64 @base Dep-Install sssd-1.14.0-43.el7_3.11.x86_64 @updates Dep-Install sssd-ad-1.14.0-43.el7_3.11.x86_64 @updates Dep-Install sssd-common-pac-1.14.0-43.el7_3.11.x86_64 @updates Dep-Install sssd-ipa-1.14.0-43.el7_3.11.x86_64 @updates Dep-Install stax-ex-1.7.1-6.el7.noarch @base Dep-Install tomcat-7.0.69-10.el7.noarch @base Dep-Install tomcat-lib-7.0.69-10.el7.noarch @base Dep-Install tomcatjss-7.1.2-3.el7.noarch @base Dep-Install txw2-20110809-8.el7.noarch @base Dep-Install velocity-1.7-10.el7.noarch @base Dep-Install ws-jaxme-0.5.2-10.el7.noarch @base Dep-Install xalan-j2-2.7.1-23.el7.noarch @base Dep-Install xerces-j2-2.11.0-17.el7_0.noarch @base Dep-Install xml-commons-apis-1.4.01-16.el7.noarch @base Dep-Install xml-commons-resolver-1.2-15.el7.noarch @base Dep-Install xpp3-1.1.3.8-11.el7.noarch @base
Triage notes: the command can be extended to accept both formats
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue set to the milestone: FreeIPA 4.7 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.