Description: ipa: ERROR: an internal error has occurred on executing command ipa cert-request --add after upgrade.
ipa: ERROR: an internal error has occurred
ipa cert-request --add
Version: ipa-server-4.4.90-201703072305.el7.x86_64
Steps to Reproduce: 1. Upgrade IPA server configured on RHEL 7.3.z ito RHEL 7.4 (copr build) ipa-server-4.4.90-201703072305.el7.x86_64. ( #yum -y update 'ipa*' sssd). 2. Upgrade process completes. 3. After upgrade run the following commands:
# kinit admin # echo '[ req ] default_bits = 2048' > IPAMASTER-cert-req.conf # echo "default_keyfile = IPAMASTER.key" >> IPAMASTER-cert-req.conf # echo 'distinguished_name = test_key_file prompt = no output_password = .. [ test_key_file ] C = US ST = CA L = SFO O = RedHat Technology OU = RedHat IT' >> IPAMASTER-cert-req.conf # echo "CN = IPAMASTER.testrelm.test" >> IPAMASTER-cert-req.conf # csrfile="IPAMASTER.testrelm.test-cert-req.csr" # testprinc="EXAMPLE$(date +%H%M)/IPAMASTER.testrelm.test" # openssl req -new -config IPAMASTER-cert-req.conf -out $csrfile # ipa cert-request --add --principal=$testprinc $csrfile
Actual Result: 1. After step3, following error message is received: ipa: ERROR: an internal error has occurred 2. Under "/var/log/httpd/error_log" following error is noticed:
[Fri Mar 10 03:53:07.894514 2017] [:error] [pid 12952] ipa: ERROR: non-public: AttributeError: '_Certificate' object has no attribute 'serial_number' [Fri Mar 10 03:53:07.894531 2017] [:error] [pid 12952] Traceback (most recent call last): [Fri Mar 10 03:53:07.894533 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Fri Mar 10 03:53:07.894535 2017] [:error] [pid 12952] result = command(*args, **options) [Fri Mar 10 03:53:07.894537 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Fri Mar 10 03:53:07.894539 2017] [:error] [pid 12952] return self.__do_call(*args, **options) [Fri Mar 10 03:53:07.894541 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Fri Mar 10 03:53:07.894543 2017] [:error] [pid 12952] ret = self.run(*args, **options) [Fri Mar 10 03:53:07.894545 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Fri Mar 10 03:53:07.894546 2017] [:error] [pid 12952] return self.execute(*args, **options) [Fri Mar 10 03:53:07.894548 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 805, in execute [Fri Mar 10 03:53:07.894550 2017] [:error] [pid 12952] self.obj._parse(result, all) [Fri Mar 10 03:53:07.894552 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 388, in _parse [Fri Mar 10 03:53:07.894553 2017] [:error] [pid 12952] obj['serial_number'] = cert.serial_number [Fri Mar 10 03:53:07.894555 2017] [:error] [pid 12952] AttributeError: '_Certificate' object has no attribute 'serial_number' [Fri Mar 10 03:53:07.894745 2017] [:error] [pid 12952] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UE\\nBxMDU0ZPMRowGAYDVQQKExFSZWRIYXQgVGVjaG5vbG9neTESMBAGA1UECxMJUmVk\\nSGF0IElUMSkwJwYDVQQDEyBhdXRvLWh2LTAyLWd1ZXN0MDEudGVzdHJlbG0udGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTVZBmIpq0qJQGiPDNF\\n7zvoHhd4Q0nledb5T3RBMqBitj++yixbr1O/xnBXiaJxK7agt/3mTT0MBLjRMl+m\\nk/T65LHlcraw/v71H8x5temk5zEucX5iV8utqd+1Z2wmxzkAU7BZ9Am7u+P6Ml3Q\\nNAmU4+N3Gg0W8R/RL4Atu6bsr818RZGcciYBLNCGAJJRZLI3WoljNVzCeAQu3MFt\\nTG/tkEfb+bENrh2ONygWzBx2ngHg5ZQWfh5YYekO0HgRrD3u7hJPJfKVTt8vo2fk\\nRk7ghBdX7qXlBzG384M3p0851ZkMAe1Wv1VQ9y6Ct8Dkfacqagp1QyAGTvVK5EnY\\nGbECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCzxF4mD3mfm6GyE3FzTyt2k7DY\\nP+xnJ5IgXD0N2iIiLagmFu8K5V1vrY8OQZvvOWQegcfgpU65fqM2OSQJRcF69if4\\nI7Is/SRUbdX45CVjDiemxElOkjcMJlZv6iCypwFIPjebr6xKtNg9IFvYlX9M0nlm\\ngYKCMQ4RItsIrmoD+MP49EDPcrw7Ut7Q+pG/hLQu/XEL5hGLasJyxsw2tLOEzv5Q\\nArJZ96Xvur6U/prysjk5LClNLo8TU+VVFrVwpfxv6D6NjLL99ewmeSksgnbNVnYp\\nWCYdS5DNrYBBtiRo82TOsiEsv0Y6XTMgcr/qYy6J95gNvydNSFr5PI9a/qip\\n-----END CERTIFICATE REQUEST-----\\n', principal=u'EXAMPLE0352/auto-hv-02-guest01.testrelm.test', add=True, version=u'2.219'): InternalError
Expected Result: No Error message should be received.
This AttributeError: '_Certificate' object has no attribute 'serial_number' is caused by old python-cryptography
AttributeError: '_Certificate' object has no attribute 'serial_number'
I see that ipa.spec has Requires: python-cryptography >= 1.4 so it should be bumped to 1.7.2.
Requires: python-cryptography >= 1.4
It is not bumped also in master.
@pvoborni Not true, 1.4 should be enough.
@ndehadrai Can you please check your version of python-cryptography (rpm -qa | grep python-cryptography)?
rpm -qa | grep python-cryptography
@stlaz Please find the output below:
[root@test ~]# tail -1 /var/log/ipaupgrade.log 2017-03-09T12:01:43Z INFO The ipa-server-upgrade command was successful [root@test ~]# rpm -q ipa-server ipa-server-4.4.90-201703072305.el7.x86_64 [root@test ~]# rpm -qa | grep python-cryptography [root@test ~]#
@ndehadrai Sorry, I was wildly guessing the python-cryptography name on RHEL, please try rpm -q python2-cryptography.
rpm -q python2-cryptography
@stlaz
[root@auto-hv-01-guest05 ~]# rpm -q ipa-server ipa-server-4.4.90-201703072305.el7.x86_64 [root@auto-hv-01-guest05 ~]# rpm -q python2-cryptography python2-cryptography-1.3.1-3.el7.x86_64 [root@auto-hv-01-guest05 ~]# tail -1 /var/log/ipaupgrade.log 2017-03-10T10:51:38Z INFO The ipa-server-upgrade command was successful [root@auto-hv-01-guest05 ~]#
Metadata Update from @pvoborni: - Issue assigned to jcholast - Issue priority set to: 2 - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @pvomacka: - Issue assigned to pvomacka (was: jcholast)
Metadata Update from @pvomacka: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/800 - Issue assigned to jcholast (was: pvomacka)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
master:
Not closing, waiting for 4.5 backport
ipa-4-5:
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mbasti: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455862
Issue linked to Bugzilla: Bug 1455862
Log in to comment on this ticket.