When executing cert-request, if Dogtag successfully issues a certificate but IPA is unable to parse the certificate, an internal error occurs.
cert-request
Modify Dogtag profile to produce invalid certificate. One way is to set an IPAddress SAN with netmask. Right now Dogtag will accept that, but it is not valid and python-cryptography will reject it.
Execute ipa cert-request
ipa cert-request
ftweedal% ipa cert-request ~/dev/cert/req/foo.req \ --principal host/freebsd10-0.ipa.local \ --certificate-out ../freebsd10-0.pem ipa: ERROR: an internal error has occurred
Traceback / log output:
ipa: ERROR: non-public: ValueError: b'\\xac\\x10\\x00\\x01\\xff\\xff\\xff\\x00' does not appear to be an IPv4 or IPv6 address Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 370, in wsgi_execute result = command(*args, **options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call ret = self.run(*args, **options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run return self.execute(*args, **options) File "/usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 879, in execute self.obj._parse(result, all) File "/usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 489, in _parse cert.san_general_names) File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 331, in san_general_names GENERAL_NAME_CONSTRUCTORS[gn_type](gn.getComponent())) File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 628, in _pyasn1_to_cryptography_ipaddress ipaddress.ip_address(bytes(octet_string))) File "/usr/lib64/python3.6/ipaddress.py", line 54, in ip_address address) ValueError: b'\\xac\\x10\\x00\\x01\\xff\\xff\\xff\\x00' does not appear to be an IPv4 or IPv6 address
The command should not result in an internal error, but should report that a certificate was successfully issued but is malformed.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
PR: https://github.com/freeipa/freeipa/pull/1518
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1518
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.4
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.