Ticket was cloned from Red Hat Bugzilla: Bug 1644874
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: IPA starts, senses a change in schemas, and then fails to update itself with an error about not being able to convert a cert Version-Release number of selected component (if applicable): RHEL 7.6 / ipa-server-4.6.4-10.el7.x86_64 How reproducible: Consistent after initial failure to update Actual results: From /var/log/ipaupgrade.log RuntimeError: unable to convert the attribute u'cACertificate;binary' value 'MII...<cut_out_cert>...Gtw==' to type <class 'cryptography.x509.base.Certificate'> in LDAP entry 'cn=CACert,cn=ipa,cn=etc,dc=XXXX'
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1644874
Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the value In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 only partial as it prevents double-encoding when a new cert is uploaded but did not fix wrong values already present in LDAP.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2618
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
This does not fix a problem with a newer client enrolling to old servers where a double-encoded certificate would still be present but a client would deny its use. We need to open a new ticket for the client.
Login to comment on this ticket.