#8199 Nightly test failure in testing_master_pki: unable to load CSR
Closed: fixed 4 months ago by frenaud. Opened 5 months ago by frenaud.

The nightly tests [testing_master_pki] failed in multiple places, see PR #141:
- external_ca_TestExternalCAInvalidCert
- external_ca_TestExternalCAdirsrvStop
- external_ca_TestMultipleExternalCA
- external_ca_templates
- test_caless_TestServerCALessToExternalCA
- test_external_ca_TestExternalCA

All the errors seem related to a problem loading a CSR:

self = <ipatests.test_integration.test_external_ca.TestExternalCAInvalidCert object at 0x7f83a131a290>

    def test_external_ca(self):
        # Step 1 of ipa-server-install.
        install_server_external_ca_step1(self.master)

        # Sign CA, transport it to the host and get ipa a root ca paths.
        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
>           self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)

test_integration/test_external_ca.py:379: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
pytest_ipa/integration/tasks.py:1790: in sign_ca_and_transport
    ipa_ca = external_ca.sign_csr(ipa_csr, path_length=ipa_ca_path_length)
create_external_ca.py:131: in sign_csr
    csr_tbs = x509.load_pem_x509_csr(ipa_csr, default_backend())
/usr/lib64/python3.7/site-packages/cryptography/x509/base.py:58: in load_pem_x509_csr
    return backend.load_pem_x509_csr(data)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7f83a1d0b910>
data = b'-----BEGIN NEW CERTIFICATE REQUEST-----\nMIIDqjCCAhICAQAwMzERMA8GA1UEChMISVBBLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF...eqUC5serysyQEzkh3Cc2Tpx5q2ZSux0vTBFsq\n6O8ZejSb4pCDzpu+NSslq90THRsQg41x6dDD9gNE-----END NEW CERTIFICATE REQUEST-----\n'

    def load_pem_x509_csr(self, data):
        mem_bio = self._bytes_to_bio(data)
        x509_req = self._lib.PEM_read_bio_X509_REQ(
            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
        )
        if x509_req == self._ffi.NULL:
            self._consume_errors()
            raise ValueError(
>               "Unable to load request. See https://cryptography.io/en/la"
                "test/faq/#why-can-t-i-import-my-pem-file for more details."
            )
E           ValueError: Unable to load request. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.

/usr/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.py:1220: ValueError

After investigation, it turns out jss-4.6.3-1.20200213194302.ae4a9a49.fc31.x86_64 is the culprit.
With jss-4.6.2-2.fc31.x86_64 the installation succeeds, but with the nightly build of jss, the CSR produced by the first step of PKI installation (with an externally-signed CA) is invalid:

# cat /root/ipa.csr 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDqjCCAhICAQAwMzERMA8GA1UEChMISVBBLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1
dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANRN213CU6GZzKKR4JpAW1ih
lo9OLXnh03JWISQeTOp//lON6XIKp8BOBwOWL0HAqMaPvh70iYovash4qFxbCIBe8Yp+EWO4COy/
6hyEp/3lhOamWKCIGGhUJHRfxYDVkMGvF7QrJSnDTARs8HFDxACc4spqtDRT5B4ncrZIB8UmJBmG
tURmxDR6SfGm824tkeECJKLOs33zg8S7jpkMEj4fkdUZob/g+8fQg1FSJ1yXrL/RrcvlQCewLN26
uuMiNaPjUWn+K8fjW601WFEW/Z0HNe6MKagweAruPZc6mh76thnMowBR88KZL0609mjtou4TCePA
9n8V0TR6k/p3XQiGtbqVg5Qn9JORe3KDNYDiAOCqHmlYY3DWO/LuG0/zmu8TWwEc+O42HjuMcIjz
cyPHiMxC6AgRZlUeJvm5iDCnuhqCloCVNMj1QwgiDtf9k8pFAQlY6ZzHW1xKco9+ouMUqJ7X0w6b
aybU08d+1Y3JP6lm5Tk6840wPYcYrrjOAwIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAYEA1BdnnE7CJXdS9aLQ
rhDOV+RDpfuQvMPmUAlWBiP3QAy3cQWpBFhWbsTRqh+illwcYv11Zp5Ug+znnnvPaQAKj5RUi+xw
h3fZv4jwMXK+P4EPEBSw11+1twoxYHCqBWbYUz6YBgss1xyeAbs1shHr2OFJwHnv1vaV6VGZ1SQE
SAaBp4fGRkc7mdk9S4IuBPxdhtzy4x4QrZkqj6C8ryN/tDX0j6UFacCg/L+8vAbEaKlniHQKvmYz
NoMhxxdg8eQUydhw7d0u/VGq9B8unobhwPg6wS7pe2/OGamwg051mYYOn5Qxk7sy4uzfbeocBED+
Yi2KqCJeNInCGm+KnVLwkwlPOeK618pM7woSw7sNUow7nhW5HwKmc5rwqO/7kkA8cGavEQWGQoOc
xVeQrtS4hQ3PAGuuQgUrCUVQ7Isf6uZbiK3v2wp0kybvALYBDfwSWSWGjI1iW9XeiEF1pXga9N4z
YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST-----

Note that the csr footer is on the same line as the csr body.

Issue was discussed with @cipherboy and a PR is already in progress on jss workspace: PR #411.

Closing as fixed since the new nightly build of jss fixes the issue, as can be seen in this test report

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

4 months ago

Login to comment on this ticket.

Metadata