#7840 ipa client installation is failing with error "exception: InvalidCodepoint: Codepoint U+005C at position" in RHEL 7.6
Opened 4 months ago by fcami. Modified 4 months ago

If a CA URL contains an invalid character as per the Internationalised Domain Names in Applications specification [1] [2] ipa-client-install fails without any meaningful error message:

2019-01-10T11:41:50Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main
install(self)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install
_install(options)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2799, in _install
tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 320, in insert_ca_certs_into_systemwide_ca_store
if (cert.extended_key_usage is not None and
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 269, in extended_key_usage
ext_key_usage = self._cert.extensions.get_extension_for_oid(
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 130, in extensions
return _CERTIFICATE_EXTENSION_PARSER.parse(self._backend, self._x509)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 255, in parse
value = handler(backend, ext_data)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 565, in _decode_crl_distribution_points
backend, cdp.distpoint.name.fullname
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 83, in _decode_general_names
names.append(_decode_general_name(backend, gn))
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 112, in _decode_general_name
hostname = idna.decode(parsed.hostname)
File "/usr/lib/python2.7/site-packages/idna/core.py", line 384, in decode
result.append(ulabel(label))
File "/usr/lib/python2.7/site-packages/idna/core.py", line 299, in ulabel
check_label(label)
File "/usr/lib/python2.7/site-packages/idna/core.py", line 253, in check_label
raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))

[1] https://tools.ietf.org/html/rfc5891
[2] https://tools.ietf.org/html/rfc5892

ca.ct contains invalid characters in URI(s), like '\' in the example below:
(...)
X509v3 CRL Distribution Points:

            Full Name:
              URI:file://\\server\path\file.crl

        Authority Information Access: 
            CA Issuers - URI:file://\\server\path\ca.crt

(...)


Metadata Update from @fcami:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1665906

4 months ago

Login to comment on this ticket.

Metadata