#6749 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade
Closed: fixed 7 years ago Opened 7 years ago by ndehadrai.

Description:
ipa: ERROR: an internal error has occurred on executing command ipa cert-request --add after upgrade.

Version:
ipa-server-4.4.90-201703072305.el7.x86_64

Steps to Reproduce:
1. Upgrade IPA server configured on RHEL 7.3.z ito RHEL 7.4 (copr build)
ipa-server-4.4.90-201703072305.el7.x86_64. ( #yum -y update 'ipa*' sssd).
2. Upgrade process completes.
3. After upgrade run the following commands:

  #  kinit admin
  # echo '[ req ]
default_bits = 2048' > IPAMASTER-cert-req.conf
  # echo "default_keyfile = IPAMASTER.key" >> IPAMASTER-cert-req.conf
  # echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> IPAMASTER-cert-req.conf
    # echo "CN = IPAMASTER.testrelm.test" >> IPAMASTER-cert-req.conf
    # csrfile="IPAMASTER.testrelm.test-cert-req.csr"
    # testprinc="EXAMPLE$(date +%H%M)/IPAMASTER.testrelm.test"
    # openssl req -new -config IPAMASTER-cert-req.conf -out $csrfile
    # ipa cert-request --add --principal=$testprinc $csrfile

Actual Result:
1. After step3, following error message is received:
ipa: ERROR: an internal error has occurred
2. Under "/var/log/httpd/error_log" following error is noticed:

[Fri Mar 10 03:53:07.894514 2017] [:error] [pid 12952] ipa: ERROR: non-public: AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894531 2017] [:error] [pid 12952] Traceback (most recent call last):
[Fri Mar 10 03:53:07.894533 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Fri Mar 10 03:53:07.894535 2017] [:error] [pid 12952]     result = command(*args, **options)
[Fri Mar 10 03:53:07.894537 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Mar 10 03:53:07.894539 2017] [:error] [pid 12952]     return self.__do_call(*args, **options)
[Fri Mar 10 03:53:07.894541 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Mar 10 03:53:07.894543 2017] [:error] [pid 12952]     ret = self.run(*args, **options)
[Fri Mar 10 03:53:07.894545 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Mar 10 03:53:07.894546 2017] [:error] [pid 12952]     return self.execute(*args, **options)
[Fri Mar 10 03:53:07.894548 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 805, in execute
[Fri Mar 10 03:53:07.894550 2017] [:error] [pid 12952]     self.obj._parse(result, all)
[Fri Mar 10 03:53:07.894552 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 388, in _parse
[Fri Mar 10 03:53:07.894553 2017] [:error] [pid 12952]     obj['serial_number'] = cert.serial_number
[Fri Mar 10 03:53:07.894555 2017] [:error] [pid 12952] AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894745 2017] [:error] [pid 12952] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UE\\nBxMDU0ZPMRowGAYDVQQKExFSZWRIYXQgVGVjaG5vbG9neTESMBAGA1UECxMJUmVk\\nSGF0IElUMSkwJwYDVQQDEyBhdXRvLWh2LTAyLWd1ZXN0MDEudGVzdHJlbG0udGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTVZBmIpq0qJQGiPDNF\\n7zvoHhd4Q0nledb5T3RBMqBitj++yixbr1O/xnBXiaJxK7agt/3mTT0MBLjRMl+m\\nk/T65LHlcraw/v71H8x5temk5zEucX5iV8utqd+1Z2wmxzkAU7BZ9Am7u+P6Ml3Q\\nNAmU4+N3Gg0W8R/RL4Atu6bsr818RZGcciYBLNCGAJJRZLI3WoljNVzCeAQu3MFt\\nTG/tkEfb+bENrh2ONygWzBx2ngHg5ZQWfh5YYekO0HgRrD3u7hJPJfKVTt8vo2fk\\nRk7ghBdX7qXlBzG384M3p0851ZkMAe1Wv1VQ9y6Ct8Dkfacqagp1QyAGTvVK5EnY\\nGbECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCzxF4mD3mfm6GyE3FzTyt2k7DY\\nP+xnJ5IgXD0N2iIiLagmFu8K5V1vrY8OQZvvOWQegcfgpU65fqM2OSQJRcF69if4\\nI7Is/SRUbdX45CVjDiemxElOkjcMJlZv6iCypwFIPjebr6xKtNg9IFvYlX9M0nlm\\ngYKCMQ4RItsIrmoD+MP49EDPcrw7Ut7Q+pG/hLQu/XEL5hGLasJyxsw2tLOEzv5Q\\nArJZ96Xvur6U/prysjk5LClNLo8TU+VVFrVwpfxv6D6NjLL99ewmeSksgnbNVnYp\\nWCYdS5DNrYBBtiRo82TOsiEsv0Y6XTMgcr/qYy6J95gNvydNSFr5PI9a/qip\\n-----END CERTIFICATE REQUEST-----\\n', principal=u'EXAMPLE0352/auto-hv-02-guest01.testrelm.test', add=True, version=u'2.219'): InternalError

Expected Result:
No Error message should be received.


This AttributeError: '_Certificate' object has no attribute 'serial_number' is caused by old python-cryptography

I see that ipa.spec has Requires: python-cryptography >= 1.4 so it should be bumped to 1.7.2.

It is not bumped also in master.

@pvoborni Not true, 1.4 should be enough.

@ndehadrai Can you please check your version of python-cryptography (rpm -qa | grep python-cryptography)?

@stlaz
Please find the output below:

[root@test ~]# tail -1 /var/log/ipaupgrade.log
2017-03-09T12:01:43Z INFO The ipa-server-upgrade command was successful
[root@test ~]# rpm -q ipa-server
ipa-server-4.4.90-201703072305.el7.x86_64
[root@test ~]# rpm -qa | grep python-cryptography
[root@test ~]#

@ndehadrai Sorry, I was wildly guessing the python-cryptography name on RHEL, please try rpm -q python2-cryptography.

@stlaz

[root@auto-hv-01-guest05 ~]# rpm -q ipa-server
ipa-server-4.4.90-201703072305.el7.x86_64
[root@auto-hv-01-guest05 ~]# rpm -q python2-cryptography
python2-cryptography-1.3.1-3.el7.x86_64
[root@auto-hv-01-guest05 ~]# tail -1 /var/log/ipaupgrade.log
2017-03-10T10:51:38Z INFO The ipa-server-upgrade command was successful
[root@auto-hv-01-guest05 ~]#

Metadata Update from @pvoborni:
- Issue assigned to jcholast
- Issue priority set to: 2
- Issue set to the milestone: FreeIPA 4.5.1

7 years ago

Metadata Update from @pvomacka:
- Issue assigned to pvomacka (was: jcholast)

7 years ago

Metadata Update from @pvomacka:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/800
- Issue assigned to jcholast (was: pvomacka)

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

7 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

master:

  • 9149f2d Change python-cryptography to python2-cryptography

Not closing, waiting for 4.5 backport

ipa-4-5:

  • 14ff94a Change python-cryptography to python2-cryptography

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @mbasti:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455862

7 years ago

Metadata Update from @mbasti:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455862

7 years ago

Log in to comment on this ticket.

Metadata