freeipa

Clone
Source Code
GIT

#8817 Running ipa-server-certinstall with v1 certificate fails with Attempted "__iter__" operation on ASN.1 schema object
Closed: fixed 2 years ago by rcritten. Opened 3 years ago by adelton.

Closed: fixed
Reopen Issue

Request for enhancement

As an admin, I want to use ipa-server-certinstall the way it used to work.

Issue

Running ipa-server-certinstall fails with Attempted "__iter__" operation on ASN.1 schema object when the certificate is a v1, with no v3 extensions.

Steps to Reproduce

  1. openssl req -x509 -nodes -new -sha256 -days 3 -newkey rsa:2048 -keyout CA.key -out CA.pem -subj "/CN=Example-Test-CA-$$"
  2. openssl req -new -nodes -newkey rsa:2048 -keyout cert.key -out cert.csr -subj "/CN=$( hostname )"
  3. openssl x509 -req -sha256 -days 3 -in cert.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out cert.crt
  4. ipa-cacert-manage -p Secret123 -n IPA-CA-$$ -t C,, install CA.pem
  5. ipa-certupdate
  6. ipa-server-certinstall -p Secret123 --pin '' -w cert.key cert.crt

Actual behavior

Attempted "__iter__" operation on ASN.1 schema object
The ipa-server-certinstall command failed.

Expected behavior

Please restart ipa services after installing certificate (ipactl restart)

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.9.3-1.fc33.x86_64
freeipa-client-4.9.3-1.fc33.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.4.15-1.fc33.x86_64
pki-ca-10.10.5-5.fc33.noarch
krb5-server-1.18.2-29.fc33.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

@rcritten also asked for python3-pyasn1 version:

python3-pyasn1-0.4.8-3.fc33.noarch

Please run ipa-server-certinstall with --verbose and post the the entire traceback.

openssl x509 -text -in cert.crt would be helpful, too.
Edited 3 years ago by cheimes 
# ipa-server-certinstall -p Secret123 --pin '' -w cert.key cert.crt --verbose
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140244796425552
ipapython.dogtag: DEBUG: request GET https://ipa.example.com:443/acme/directory
ipapython.dogtag: DEBUG: request body 'timeout=30'
ipapython.dogtag: DEBUG: response status 503
ipapython.dogtag: DEBUG: response headers Date: Fri, 23 Apr 2021 16:15:28 GMT
Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1k mod_wsgi/4.7.1 Python/3.9 mod_auth_gssapi/1.6.3
Content-Length: 0
Connection: close


ipapython.dogtag: DEBUG: response body (decoded): b''
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpiu_h4o8h', '-N', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt', '-@', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/cert9.db']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/cert9.db

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/key4.db']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/key4.db

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/pkcs11.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/pkcs11.txt

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/pwdfile.txt

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/openssl', 'pkcs8', '-topk8', '-v2', 'aes256', '-v2prf', 'hmacWithSHA256', '-passout', 'file:/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI/XwwsBz56UUCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCX/iIH2c8hdxyovReBpoAeBIIE
0Of/xRbDjd4NQgPut6ALYVQYLSuRyAi5B43se+aMruUYCb2nt6Sf1p3G7c9jkdLq
d5YyIh3WmmAWiiN6U4BZPccdIP2J7mJPsBlXNwlpjlbXpFZ9AZ9xsu83IRpnnt92
XMxlI61/knokXjE4xw2IWIvz1nBNmAjhVaHx/Q3i48pn01DPuJaFf0WSP68c0ejj
Is33CfQIhLniZOH6XmPm4igft4i2Ewbpaiey0uSRWtXY9gqfv8oHcHCjubOYg7wp
1kYEVvrRF5X7bBioVoslHevYXzWYDpQ1GIqE+MfoXXvsLbdZqPT+YcYordZFUAx1
UT5GaK+B8Bl54q1MW8IsN8hp+qOk9zauMREiVyGvZ86r+3opWheWgZrYPsEsvudW
echdIfZS/WW+G54mLcJnNogzm2m2iIR2tIPUkVKbP3PZL9F1RxtobCPKlb5pLCdw
6SFSerKAj6caq4Gtnu0i5JoXXzpHtMXTnpn5RV0AtQzLfV69us+ck5XsxJFtBAfR
KrZGS6O8ijCYSzZIimT4k79JO9p0isgDiLw9GAqqGNp2yVl1aiugmOHNrYllVKe0
ywl2cehS4pivAPD1+Qwm6/zwMNw/Z5O/ZmDKXvq+qSCygBjhKdm6CGVOiAdp4PSi
yhzYr5CaeqqhAGh+Aq3HHvzF5vqp7Kk31iwcwXLWzjCBvN8DrLhknYhMG32XX4eQ
Mt5A+dP7Qd/6pyX+ca4tc0rWzB+5KRSW5ZBF6MDb1qPW5Djai2lFiekurpfjk+EG
STQvkGpFvPKnbD5q0GFPTkXIxtfEkUIPYxiSWGsDL6CHXuiOnqsQC9CdWoeYLNF2
wFt2xC0ULlWkXyOX8waBtcGSxVQvcM/QyBU0ODpIJYxEo4Q7XjRTjvZICS04Z9YW
3yLzxWMY/arhxe3Mcj4GTbeCivm/R/IKpglmLLdoUyXiZjIB3uqVkifVawqCg/OY
4owr5Ytpku7C0ZoWMobjFnn3pJlTtUzWjywEmNK5t94ItDg+LaaT4OTLUbz9IBVD
WfGaUPD1KZY/R0bCH63uZewbsfho9XbgpYwrRcvLziKthf3pml6Gf6PaDW64ZhbN
f3SkftK08dj2bYUEGgvhbrKmvFY+XiQHf4BELBtlZWv/ogSLmjNSYmp+qUJoWYXf
e6LtYEPNnOTUjQj2+fhJuo73LkrD7IaZTm1LvVBOGzg0ZEzDYBws2nxu5UQ5Ys5f
5gFZx0Yld7ojZkTzd/kkWDKTmynWxIVyng/kd/1DuD5o7FdEAe1YtRCEYWqZ4Irv
Gi3yDNzYC8SuTWmGHA64oep0PR2Z5Pf/AqpnRXnH9Foejz7wLYbN9TjTBvP51xZF
LMMrMwjZX7jzPeaJSCVythsXFPLzf1XH+YzLLH9GWd+lpNPcJ+4MEXprSnwI/2Xh
KnwcohTt925PAvj6fsVbpkH0ny8oMhLsb5p6tVVW3TH/LIDKXCv2mjV5EblnTfBE
41BpDPQPzY1Llm4oMMNPv552CD9nwThV4HlY1HRH2q9+UggxKRVe5O6tDBFytSDv
y5PfWrQCAKS3Pgzt9mXLztZgDIVXFnMlVVAd+du5mJxLs5DMcJ4PWmSigco0vqLq
HaxPC3X+ZiUM08sO0d2QOpQu0iBgFC+oQDepujufeTb3
-----END ENCRYPTED PRIVATE KEY-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=ipa.example.com', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/openssl', 'pkcs12', '-export', '-in', '/tmp/tmp2kyr_mv8', '-out', '/tmp/tmp55rfzyhx', '-passin', 'file:/tmp/tmpiu_h4o8h/pwdfile.txt', '-passout', 'file:/tmp/tmpb495eket', '-certpbe', 'aes-128-cbc', '-keypbe', 'aes-128-cbc']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'sql:/tmp/tmpiu_h4o8h', '-i', '/tmp/tmp55rfzyhx', '-k', '/tmp/tmpiu_h4o8h/pwdfile.txt', '-v', '-w', '/tmp/tmpdmuy4y7d']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=pk12util: PKCS12 IMPORT SUCCESSFUL

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=Certificate Authority,O=EXAMPLE.TEST', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=Example-Test-CA-18733', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=ipa.example.com                            u,u,u
CN=Certificate Authority,O=EXAMPLE.TEST                      ,,   
CN=Example-Test-CA-18733                                     ,,   

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-M', '-n', 'CN=Certificate Authority,O=EXAMPLE.TEST', '-t', 'C,,', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-M', '-n', 'CN=Example-Test-CA-18733', '-t', 'C,,', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-O', '--simple-self-signed', '-n', 'CN=ipa.example.com', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout="CN=Example-Test-CA-18733" [CN=Example-Test-CA-18733]

  "CN=ipa.example.com" [CN=ipa.example.com]


ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=Example-Test-CA-18733', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIUSKXOs5Ts26KUUF1PXH87pk0B2vswDQYJKoZIhvcNAQEL
BQAwIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNBLTE4NzMzMB4XDTIxMDQyMzE2
MTQxN1oXDTIxMDQyNjE2MTQxN1owIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNB
LTE4NzMzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDQ/8v3X5b6d
GWVNx1GYxoAeNnNHrOkVeVx40hFwqdy/dOsyFy9MH9IFdgvsmr7Mqw8JUKikPEcT
RM6jFzyE8K3XyV7L5bxkKi5Kn8tOypVgUIH78Hx7wMvre35BGVzWlg5icP3f/BY9
XKKFxrAGXJB/JkeE4EiuPO3MgfS5Yan8mvHebpRy4CyFgO6m404+zycxoT9ANWqQ
1T6xE96dmWp9UvEOiF2Mjpo4AZQavqlvwu3n8db14+Cu2VG6I+spEDbQeZ5IK95z
ulor7YmOqtGl2aQ1zbe27Ua9vuXpHX8xpaJj11tcYBEGxAtfOpIwaUKNk75SUlV5
XufWxrANCQIDAQABo1MwUTAdBgNVHQ4EFgQU+U09h9DA2IHSeywjsUoHRa0zl5ww
HwYDVR0jBBgwFoAU+U09h9DA2IHSeywjsUoHRa0zl5wwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAwyyP13gmLt9XE9KGBsPTcHjL9qd1DkW0g8sQ
RYcxt3ZMOvBgXPmfYoExVaN6CvpCDwxfNVLSxVHdU9nLBrEJoetTh6jQ/2JWq/DX
DOml9Q8fEO7PnJk/+Bv10cgF+owvkQCanZxk7nq9ZezlE2Wvd1t68coJ4TLGZPf4
PVi13hKVlnhu/d4LqBhj6HGgwlit/D2GlShjjEiLr6VXojNUKTN1LmW1ozxOEXOr
rq8c7NvGx3ZWfpthVxuC7xKCi4UOems1PxdkhPnPm2JxL6cqaXayGz1eZu5njSFG
OVo+hF6uY8nAFnZpZ/56l9buVCpD7+VH20aVG34u/FTo86KciQ==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=Example-Test-CA-18733', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIUSKXOs5Ts26KUUF1PXH87pk0B2vswDQYJKoZIhvcNAQEL
BQAwIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNBLTE4NzMzMB4XDTIxMDQyMzE2
MTQxN1oXDTIxMDQyNjE2MTQxN1owIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNB
LTE4NzMzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDQ/8v3X5b6d
GWVNx1GYxoAeNnNHrOkVeVx40hFwqdy/dOsyFy9MH9IFdgvsmr7Mqw8JUKikPEcT
RM6jFzyE8K3XyV7L5bxkKi5Kn8tOypVgUIH78Hx7wMvre35BGVzWlg5icP3f/BY9
XKKFxrAGXJB/JkeE4EiuPO3MgfS5Yan8mvHebpRy4CyFgO6m404+zycxoT9ANWqQ
1T6xE96dmWp9UvEOiF2Mjpo4AZQavqlvwu3n8db14+Cu2VG6I+spEDbQeZ5IK95z
ulor7YmOqtGl2aQ1zbe27Ua9vuXpHX8xpaJj11tcYBEGxAtfOpIwaUKNk75SUlV5
XufWxrANCQIDAQABo1MwUTAdBgNVHQ4EFgQU+U09h9DA2IHSeywjsUoHRa0zl5ww
HwYDVR0jBBgwFoAU+U09h9DA2IHSeywjsUoHRa0zl5wwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAwyyP13gmLt9XE9KGBsPTcHjL9qd1DkW0g8sQ
RYcxt3ZMOvBgXPmfYoExVaN6CvpCDwxfNVLSxVHdU9nLBrEJoetTh6jQ/2JWq/DX
DOml9Q8fEO7PnJk/+Bv10cgF+owvkQCanZxk7nq9ZezlE2Wvd1t68coJ4TLGZPf4
PVi13hKVlnhu/d4LqBhj6HGgwlit/D2GlShjjEiLr6VXojNUKTN1LmW1ozxOEXOr
rq8c7NvGx3ZWfpthVxuC7xKCi4UOems1PxdkhPnPm2JxL6cqaXayGz1eZu5njSFG
OVo+hF6uY8nAFnZpZ/56l9buVCpD7+VH20aVG34u/FTo86KciQ==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-V', '-n', 'CN=Example-Test-CA-18733', '-u', 'L', '-e', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=ipa.example.com', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIC0DCCAbgCFCc9MwAk5lUivZzarwqQR4zx7/72MA0GCSqGSIb3DQEBCwUAMCAx
HjAcBgNVBAMMFUV4YW1wbGUtVGVzdC1DQS0xODczMzAeFw0yMTA0MjMxNjE0MTda
Fw0yMTA0MjYxNjE0MTdaMCkxJzAlBgNVBAMMHmNjLXRvZTQubGFiLmVuZy5icnEu
cmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOilqqjv
rDORfKDrt21ggtBfb6n0KMvrtWu21ZqWiuKpzDBJso2cdSRXQJ5B//NshUra6Rvq
5xdG6g/6AgC+SnNUGJ5mss/hcaN+YRvsYedoLbsulTPPvG/wBDFcBh0Wv4AdmrLb
4RpMlz66rnifWPLaAzZG0Yav+mynxCSEW9PZu1KKLUn6MlSReE8Wer0HrGyHu4rn
Q1IeUdxLzOYDE7utJhmvxwlspvtDqScso9BPfRWsZgDUhrWaP97OPaAmcKbyE8Xi
nRIuV9ApUR9BtxizAt7sOttE+2dS+v5EmrDbdhB3wURGhTkF6SiBk760eAt5T8Ji
lgTaJ2jUHjyyC7MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAwQdG4UBCJl1YEJ2g
6EFzuKr1DAbRY19eNnxRy/hTOAitOnxHeKw3KgYZUZPzNjpj30CTuClJytfWsqZw
NykL+Fnpk7rOhDw+zRMHa/9RyUJqjVIfrwf0MPqLO9h6ac6XxlPJ3d2Lzi/RdRnh
+Ssy7QGme5Fz6IpLywXF8ESTdwpYuPKOGoaEt/7URTgWtCHDg8/HWdkn7rzMFJWc
zib63xZ/czF1VziVvE2t/7QzxjVKqJ6Wj6eyZtkxsPGQStjrmZYo+nAB22Y6aMRA
l+2TpdLCfCTmM389O6JbxNZQJ/HxTlv3+jKQt6PawITRmeZlkBZJgZD1dj/+ox0T
ytB6hg==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-V', '-n', 'CN=ipa.example.com', '-u', 'V', '-e', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid

ipapython.ipautil: DEBUG: stderr=
ipapython.admintool: DEBUG:   File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 129, in run
    self.replace_http_cert()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 167, in replace_http_cert
    cert, key, ca_cert = self.load_pkcs12(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 209, in load_pkcs12
    pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line 938, in load_pkcs12
    nssdb.verify_server_cert_validity(key_nickname, host_name)
  File "/usr/lib/python3.9/site-packages/ipapython/certdb.py", line 977, in verify_server_cert_validity
    cert.match_hostname(hostname)
  File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 390, in match_hostname
    values = self.san_a_label_dns_names
  File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 370, in san_a_label_dns_names
    gns = self.__pyasn1_get_san_general_names()
  File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 354, in __pyasn1_get_san_general_names
    extensions = self.__get_pyasn1_field('extensions') or []
  File "/usr/lib/python3.9/site-packages/pyasn1/type/base.py", line 572, in __bool__
    return bool(self.components)
  File "/usr/lib/python3.9/site-packages/pyasn1/type/univ.py", line 1960, in components
    for idx in sorted(self._componentValues)]
  File "/usr/lib/python3.9/site-packages/pyasn1/type/base.py", line 214, in plug
    raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema object' % name)

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: Attempted "__iter__" operation on ASN.1 schema object
ipapython.admintool: ERROR: Attempted "__iter__" operation on ASN.1 schema object
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            27:3d:33:00:24:e6:55:22:bd:9c:da:af:0a:90:47:8c:f1:ef:fe:f6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Example-Test-CA-18733
        Validity
            Not Before: Apr 23 16:14:17 2021 GMT
            Not After : Apr 26 16:14:17 2021 GMT
        Subject: CN = ipa.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e8:a5:aa:a8:ef:ac:33:91:7c:a0:eb:b7:6d:60:
                    82:d0:5f:6f:a9:f4:28:cb:eb:b5:6b:b6:d5:9a:96:
                    8a:e2:a9:cc:30:49:b2:8d:9c:75:24:57:40:9e:41:
                    ff:f3:6c:85:4a:da:e9:1b:ea:e7:17:46:ea:0f:fa:
                    02:00:be:4a:73:54:18:9e:66:b2:cf:e1:71:a3:7e:
                    61:1b:ec:61:e7:68:2d:bb:2e:95:33:cf:bc:6f:f0:
                    04:31:5c:06:1d:16:bf:80:1d:9a:b2:db:e1:1a:4c:
                    97:3e:ba:ae:78:9f:58:f2:da:03:36:46:d1:86:af:
                    fa:6c:a7:c4:24:84:5b:d3:d9:bb:52:8a:2d:49:fa:
                    32:54:91:78:4f:16:7a:bd:07:ac:6c:87:bb:8a:e7:
                    43:52:1e:51:dc:4b:cc:e6:03:13:bb:ad:26:19:af:
                    c7:09:6c:a6:fb:43:a9:27:2c:a3:d0:4f:7d:15:ac:
                    66:00:d4:86:b5:9a:3f:de:ce:3d:a0:26:70:a6:f2:
                    13:c5:e2:9d:12:2e:57:d0:29:51:1f:41:b7:18:b3:
                    02:de:ec:3a:db:44:fb:67:52:fa:fe:44:9a:b0:db:
                    76:10:77:c1:44:46:85:39:05:e9:28:81:93:be:b4:
                    78:0b:79:4f:c2:62:96:04:da:27:68:d4:1e:3c:b2:
                    0b:b3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         c1:07:46:e1:40:42:26:5d:58:10:9d:a0:e8:41:73:b8:aa:f5:
         0c:06:d1:63:5f:5e:36:7c:51:cb:f8:53:38:08:ad:3a:7c:47:
         78:ac:37:2a:06:19:51:93:f3:36:3a:63:df:40:93:b8:29:49:
         ca:d7:d6:b2:a6:70:37:29:0b:f8:59:e9:93:ba:ce:84:3c:3e:
         cd:13:07:6b:ff:51:c9:42:6a:8d:52:1f:af:07:f4:30:fa:8b:
         3b:d8:7a:69:ce:97:c6:53:c9:dd:dd:8b:ce:2f:d1:75:19:e1:
         f9:2b:32:ed:01:a6:7b:91:73:e8:8a:4b:cb:05:c5:f0:44:93:
         77:0a:58:b8:f2:8e:1a:86:84:b7:fe:d4:45:38:16:b4:21:c3:
         83:cf:c7:59:d9:27:ee:bc:cc:14:95:9c:ce:26:fa:df:16:7f:
         73:31:75:57:38:95:bc:4d:ad:ff:b4:33:c6:35:4a:a8:9e:96:
         8f:a7:b2:66:d9:31:b0:f1:90:4a:d8:eb:99:96:28:fa:70:01:
         db:66:3a:68:c4:40:97:ed:93:a5:d2:c2:7c:24:e6:33:7f:3d:
         3b:a2:5b:c4:d6:50:27:f1:f1:4e:5b:f7:fa:32:90:b7:a3:da:
         c0:84:d1:99:e6:65:90:16:49:81:90:f5:76:3f:fe:a3:1d:13:
         ca:d0:7a:86

The same failure happens on Fedora 34 with

freeipa-server-4.9.3-2.fc34.x86_64
python3-pyasn1-0.4.8-4.fc34.noarch

as well.

On RHEL 8.4 the same steps pass. The package versions there are

ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
python3-pyasn1-0.3.7-6.el8.noarch

IPA should consider this certificate as invalid. It's a v1 cert and misses several mandatory extensions.

What extensions?

I guess it's completely fine for FreeIPA to reject certificates that it deems inappropriate. But the rejection message should state the reason more clearly than

Attempted "__iter__" operation on ASN.1 schema object

That gives the user no guidance how to fix the problem.

Agreed. Assumptions are made about the available extensions so you get this less-than-useful exception. In fact a big try/except should probably be added where we say invalid cert if it is unparseable, as a fall-back.

What extensions?

Literally all of them :) It's a X509v1 cert and does not have any X509v3 extension. We should check for the version number and refuse v1 and v2 certs.
Edited 3 years ago by cheimes

It's not all of them. I've just verified that merely adding one of X509v3 Basic Constraints (CA:FALSE), X509v3 Extended Key Usage, or X509v3 Key Usage makes ipa-server-certinstall pass.

I agree that we should reject X.509 v1 certificates, failing with a descriptive error message.

Metadata Update from @rcritten:
- Issue assigned to rcritten
2 years ago

master:

  • 6434968 When loading certificates verify that it is X.509 v3

ipa-4-9:

  • 22f0d8c When loading certificates verify that it is X.509 v3

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.