#8204 ipa-server-certinstall -> certmonger add_subject template-subject dbus 'unable to set arguments' a{sv}
Opened 6 months ago by hcoin. Modified 5 months ago

Issue

changing the freeipa ui apache server cert fails.

ipa-server-certinstall -w -p whatever --pin="" /etc/ssl/a.pem.crt /etc/ssl/private/a.pem.key
fails with

ipapython.ipautil: DEBUG: stderr=
dbus.connection: ERROR: Unable to set arguments ({'template-subject': <name(o=1.quietfountain.com,cn=registry.1.quietfountain.com)>},) according to signature 'a{sv}': <class 'typeerror'="">: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: DEBUG: File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 117, in run
self.replace_http_cert()
File "/usr/lib/python3/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 173, in replace_http_cert
certmonger.add_subject(req_id, cert.subject)
File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", line 305, in add_subject
add_request_value(request_id, 'template-subject', subject)
File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", line 284, in add_request_value
request.obj_if.modify({directive: value})
File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 147, in call
*keywords)
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 643, in call_blocking
message.append(signature=signature,
args)

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: TypeError: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: ERROR: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

Steps to Reproduce

See above, 100%

Change
def add_subject(request_id, subject):
"""
In order for a certmonger request to be renwable it needs the subject
set in the request file.

When an existing certificate is added via start-tracking it won't have
a subject_template set. !!!
"""
  • add_request_value(request_id, 'template-subject', subject)
  • add_request_value(request_id, 'template-subject', str(subject))

and it works.
certmonger/eoan,now 0.79.6-2 amd64 [installed,automatic]

I'm concerned my 'fix' will not result in certmonger actually doing the right thing, but at least the command completes 'normally'. I'll leave it to the freeipa brain trust from here.


What CA issued this replacement certificate? It looks like IPA issued it.

Can you provide the PEM certificate so we can look at the encoding of the subject?

IPA did issue it. It is a 'vanilla' ipa-ca certificate. The need for a replacement server cert is to permit a san that adds IP and DNS for failover.

This file was created by IPA. Do not edit.

[p11-kit-object-v1]
class: certificate
certificate-type: x-509
certificate-category: authority
label: "1.QUIETFOUNTAIN.COM%20IPA%20CA"
subject: "0%3E1%1C0%1A%06%03U%04%0A%0C%131.QUIETFOUNTAIN.COM1%1E0%1C%06%03U%04%03%0C%15Certificate%20Authority"
issuer: "0%3E1%1C0%1A%06%03U%04%0A%0C%131.QUIETFOUNTAIN.COM1%1E0%1C%06%03U%04%03%0C%15Certificate%20Authority"
serial-number: "%02%01%01"
x-public-key-info: "0%82%01%A20%0D%06%09%2A%86H%86%F7%0D%01%01%01%05%00%03%82%01%8F%000%82%01%8A%02%82%01%81%00%DAW%CB%BDJ%8B%D2%B0%EC%19l%BA%D9%01%AEW%1F%AF%F7%C4%01%AC1%25%A92%85B%EC%7F%C2%CD%3E%15%D6%0F%21%FA%BF8M%AC%A2%90EcSxT38%D2~%3E%C5%D8gl0%E8X%B1%F6%F4%23~%F4%1A%93%04%AA%C6%BB-%E5%F9S%60%20%F0y%04%A0%BC%0BZ%F5%D2%B1D%87E%87%CA4ig%1A%E3%8Eg%5Bv%AD%84G%96%9C%8A%D5%22%F6%3C%BA%DC%CD%EB%2C%CD%00%F6%E8%EE%23%0A%B1%9E%EC%0A%B2u~%3F%C3%E9%16%0E%F7r%89%FE%C0ab%DD%21%D7%18c%88d%E0%8A6s%CD%E5%B5%09%BF%1F%0A%A0JG%2A%CE%8E%B8%E1%8E%EC%3B%A6%F4x%FA%99%EB%B6%08%AD%A42%A91%97%18%19%F5N%D04%95%AD%05%01o%7D%AD%19%12%E3%F8%24%E3%CF%EA%F1%E3%C0%BF%07%9E%95U%F2%CE%C6%20%AE%14S%40%B0%C8%90%92%8C%CF%25%15%88%D6%1C%A0%A6d%23%01%CE%9C%D8%10%60%B6%14%09%92%9C%E4Oa%F3%F6%E3%1EBYs%A3%2B%A8%15u%D1%97%0D%8A%AEIV%E7%23%A6Iz7%FD%2A%A0%BD%0E1%1C%A7%D8w%DB%CD%EDvc4%A6Z%E3%14%9A%14%23%8A%12B%FBM%25v%2A%C2%21%2BG36_%0B%27%7F%EBQ%91K%16%BC%07%1B%1F8H%E0%A2%BC%8C%09%87%16%0C%CD1%F8%97s3%07%ECJ%D5%81%FA%86%F5%7BDFR%E2%CC%3Bvl%1E-%20%C0%CA%83M%E5%9Cv%29~%E8%01%13%1Be%A0%23%0E%E0/%D3%02%03%01%00%01"
trusted: true
-----BEGIN CERTIFICATE-----
MIIEozCCAwugAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRwwGgYDVQQKDBMxLlFV
SUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
HhcNMTkxMTIyMDUwMjM5WhcNMzkxMTIyMDUwMjM5WjA+MRwwGgYDVQQKDBMxLlFV
SUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDaV8u9SovSsOwZbLrZAa5X
H6/3xAGsMSWpMoVC7H/CzT4V1g8h+r84TayikEVjU3hUMzjSfj7F2GdsMOhYsfb0
I370GpMEqsa7LeX5U2Ag8HkEoLwLWvXSsUSHRYfKNGlnGuOOZ1t2rYRHlpyK1SL2
PLrczesszQD26O4jCrGe7AqydX4/w+kWDvdyif7AYWLdIdcYY4hk4Io2c83ltQm/
HwqgSkcqzo644Y7sO6b0ePqZ67YIraQyqTGXGBn1TtA0la0FAW99rRkS4/gk48/q
8ePAvweelVXyzsYgrhRTQLDIkJKMzyUViNYcoKZkIwHOnNgQYLYUCZKc5E9h8/bj
HkJZc6MrqBV10ZcNiq5JVucjpkl6N/0qoL0OMRyn2Hfbze12YzSmWuMUmhQjihJC
+00ldirCIStHMzZfCyd/61GRSxa8BxsfOEjgoryMCYcWDM0x+JdzMwfsStWB+ob1
e0RGUuLMO3ZsHi0gwMqDTeWcdil+6AETG2WgIw7gL9MCAwEAAaOBqzCBqDAfBgNV
HSMEGDAWgBTdXpnnP9RuX27AqbZPzMecDro4eTAPBgNVHRMBAf8EBTADAQH/MA4G
A1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU3V6Z5z/Ubl9uwKm2T8zHnA66OHkwRQYI
KwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vaXBhLWNhLjEucXVpZXRm
b3VudGFpbi5jb20vY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEA0U1zS/68xHnW
p7xoa6XThTvSobdXGS0Fk5IQnu+rHdiSIXYwabCVXESC4YacToiTxR18DiM8Rnvf
+ZrabbbGBVlOPdCGztDxYqspFxOhqwTCA6JJ2gr7h7Gv0YmIfDn90wfHgucDPzrr
5AXLonvdl7dBKpcxaGw3fWf/YSpeGKy85xd073bmg/rKBg59w1jIzi6ehMvDmbDw
eZMQZMlLNsz1W3kvzkNRNUQCGJZ+tjvgsuGArc5SM5aW1bxrF7AOKCRAyqgii9jo
zT8VufspdiTfEUcCC+Vty4lkrGjA0Yc92ki6+e/MdVAcmQtBl+T/L+mVOcBwprL+
JwZ1Z26u+5MZS8gD3y0usEbnQRD3nGx4dmmJJ2ajXH3cOiNqq9wlpa5o4jG1c5Iu
F/t0WZdbaP01ouxmSmfFi5olZXwZvOUY+DEhE1ssuKH7G3SgBqTpeXWMrmky326Y
l/qIgi9KXAMVJWYuHa4p2yxTIdHnqQdIvuFrfbNF2WsAiucWCg/c
-----END CERTIFICATE-----

Ok, this should probably work but you don't need to go through all this to replace an IPA-issued cert with an IPA-issued cert.

ipa-getcert resubmit -f /var/lib/ipa/certs/httpd.crt -D <san fqdn=""> -A <ip addr="">

IPA must be able to resolve in DNS that the IP belongs to this host.

Thanks for the thought. So much of freeipa documentation is written in the style of 'lore', I read the command that I thought ought to work and just went with it. I needed the infrastructure to create the csrs for other cert needs anyhow so that was my starting point.

While you're focusing on this item might you remove the requirement for --pin="" on the command line to avoid awaiting console input when certificates aren't locked?

I am grateful for the freeipa project and have good hopes for its future, thanks to all who helped with it!

Harry Coin

Your command should have worked. We'll definitely look into this to see what is going on, it's just not the ideal way to reissue the cert. I suspect it's an encoding issue in the cert but haven't had a chance to dig into it yet.

I see your point about having to specify a blank pin but since this is easily worked around I suspect fixing this would have a pretty low priority. Feel free to file a separate RFE for this, it might get changed eventually.

When the type and details of the native key are ok then the 'resumbit' could work. I just needed one way to do one thing and as I had broader need for a csr submission system I use it for all needs including the ipa cert.

Metadata Update from @rcritten:
- Issue assigned to rcritten

5 months ago

I've reproduced this on the master branch, it is independent of the actual cert.

What version of IPA are you using?

I reproduced it with:

  • setenforce permissive
  • cp /var/lib/ipa/certs/httpd.crt /tmp
  • cp /var/lib/ipa/private/httpd.key /tmp
  • ipa-server-certinstall -w --pin "cat /var/lib/ipa/passwds/ipa.example.test-443-RSA" /tmp/httpd.crt /tmp/httpd.key

The cert variable in ipa-server-certinstall is a ipalib.x509.IPACertificate object

So cert.subject is a cryptography.x509.name.Name object which is what is blowing up add_subject. It expects a string.

In ipa-server-cert install certmonger.add_subject() should be called with str(DN(cert.subject)) to match the behavior of ipaserver/install/httpinstance.py and ipaserver/install/certs.py

certmonger.add_subject may need a test for string type to perhaps catch this better in the future.

This behavior was added in 9a7c315 and affects 4.7.0+

This will only trigger if the replacement cert is issued by IPA which is why this wasn't caught by CI.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8.5

5 months ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1810148

5 months ago

@rcritten
we have integration tests in test_caless.py::TestCertInstall but they are using a p12 file, not a combination of pem + key. It may be worth adding a new test.

Yes, this is going to need a new test. This only triggers when a CA is installed and the cert is issued by the main IPA CA.

Note that the certinstall requires --pem="" in order to not block
waiting on stdin even when the key isn't encrypted.

On 3/4/20 12:29 PM, Rob Crittenden wrote:

rcritten added a new comment to an issue you are following:
Yes, this is going to need a new test. This only triggers when a CA is installed and the cert is issued by the main IPA CA.

To reply, visit the link below or just reply to this email
https://pagure.io/freeipa/issue/8204

Login to comment on this ticket.

Metadata