OpenSSL requires attribute short names ("CN", "O", etc) to be in upper case, otherwise it fails to add the attribute. This can be triggered when FreeIPA has been installed with --subject-base containing a lower-case attribute shortname (e.g. --subject-base="o=Red Hat").
For example:
ftweedal% ipa config-show |grep Subject Certificate Subject base: o=IPA.LOCAL 201804101556 ftweedal% ipa cert-request --principal alice --private-key ~ /dev/cert/req/key-rsa.pem --csr-profile-id userCert ipa: ERROR: error:0D06407A:lib(13):func(100):reason(122) error:0B073043:lib(11):func(115):reason(67)
There is also a py3 bytes/str bug that prevents the above error message appearing, which will be dealt with in the course of fixing this issue.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
PR: https://github.com/freeipa/freeipa/pull/1813
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1813
master:
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.