If a CA URL contains an invalid character as per the Internationalised Domain Names in Applications specification [1] [2] ipa-client-install fails without any meaningful error message:
2019-01-10T11:41:50Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main install(self) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install _install(options) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2799, in _install tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 320, in insert_ca_certs_into_systemwide_ca_store if (cert.extended_key_usage is not None and File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 269, in extended_key_usage ext_key_usage = self._cert.extensions.get_extension_for_oid( File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 130, in extensions return _CERTIFICATE_EXTENSION_PARSER.parse(self._backend, self._x509) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 255, in parse value = handler(backend, ext_data) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 565, in _decode_crl_distribution_points backend, cdp.distpoint.name.fullname File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 83, in _decode_general_names names.append(_decode_general_name(backend, gn)) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 112, in _decode_general_name hostname = idna.decode(parsed.hostname) File "/usr/lib/python2.7/site-packages/idna/core.py", line 384, in decode result.append(ulabel(label)) File "/usr/lib/python2.7/site-packages/idna/core.py", line 299, in ulabel check_label(label) File "/usr/lib/python2.7/site-packages/idna/core.py", line 253, in check_label raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
[1] https://tools.ietf.org/html/rfc5891 [2] https://tools.ietf.org/html/rfc5892
ca.ct contains invalid characters in URI(s), like '\' in the example below: (...) X509v3 CRL Distribution Points:
Full Name: URI:file://\\server\path\file.crl Authority Information Access: CA Issuers - URI:file://\\server\path\ca.crt
(...)
Metadata Update from @fcami: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1665906
Login to comment on this ticket.