#7775 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'"
Closed: fixed a year ago Opened a year ago by frenaud.

Ticket was cloned from Red Hat Bugzilla: Bug 1644874

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
IPA starts, senses a change in schemas, and then fails to update itself with an error about not being able to convert a cert


Version-Release number of selected component (if applicable):
RHEL 7.6 / ipa-server-4.6.4-10.el7.x86_64


How reproducible:
Consistent after initial failure to update

Actual results:
From /var/log/ipaupgrade.log
   RuntimeError: unable to convert the attribute u'cACertificate;binary' value 'MII...<cut_out_cert>...Gtw==' to type <class 'cryptography.x509.base.Certificate'> in LDAP entry 'cn=CACert,cn=ipa,cn=etc,dc=XXXX'

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1644874

a year ago

Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.

The fix for 3477 only partial as it prevents double-encoding when a new cert is uploaded but did not fix wrong values already present in LDAP.

Metadata Update from @frenaud:
- Issue assigned to frenaud

a year ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2618

a year ago

master:

  • 800f269 ipa upgrade: handle double-encoded certificates
  • 93e3fc4 ipatests: add upgrade test for double-encoded cacert

ipa-4-7:

  • 8ee3779 ipa upgrade: handle double-encoded certificates
  • 2b0f3a1 ipatests: add upgrade test for double-encoded cacert

ipa-4-6:

  • 4e7838f ipa upgrade: handle double-encoded certificates
  • c567649 ipatests: add upgrade test for double-encoded cacert

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

This does not fix a problem with a newer client enrolling to old servers where a double-encoded certificate would still be present but a client would deny its use. We need to open a new ticket for the client.

master:

  • 4a938ad ipatests: fix TestUpgrade::test_double_encoded_cacert

ipa-4-6:

  • caa0e42 ipatests: fix TestUpgrade::test_double_encoded_cacert

ipa-4-7:

  • 2a299c7 ipatests: fix TestUpgrade::test_double_encoded_cacert

Login to comment on this ticket.

Metadata