As an admin, I want to use ipa-server-certinstall the way it used to work.
Running ipa-server-certinstall fails with Attempted "__iter__" operation on ASN.1 schema object when the certificate is a v1, with no v3 extensions.
openssl req -x509 -nodes -new -sha256 -days 3 -newkey rsa:2048 -keyout CA.key -out CA.pem -subj "/CN=Example-Test-CA-$$"
openssl req -new -nodes -newkey rsa:2048 -keyout cert.key -out cert.csr -subj "/CN=$( hostname )"
openssl x509 -req -sha256 -days 3 -in cert.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out cert.crt
ipa-cacert-manage -p Secret123 -n IPA-CA-$$ -t C,, install CA.pem
ipa-certupdate
ipa-server-certinstall -p Secret123 --pin '' -w cert.key cert.crt
Attempted "__iter__" operation on ASN.1 schema object The ipa-server-certinstall command failed.
Please restart ipa services after installing certificate (ipactl restart)
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.3-1.fc33.x86_64 freeipa-client-4.9.3-1.fc33.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.4.15-1.fc33.x86_64 pki-ca-10.10.5-5.fc33.noarch krb5-server-1.18.2-29.fc33.x86_64
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
@rcritten also asked for python3-pyasn1 version:
python3-pyasn1-0.4.8-3.fc33.noarch
Please run ipa-server-certinstall with --verbose and post the the entire traceback.
ipa-server-certinstall
--verbose
openssl x509 -text -in cert.crt would be helpful, too.
openssl x509 -text -in cert.crt
# ipa-server-certinstall -p Secret123 --pin '' -w cert.key cert.crt --verbose ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipapython.admintool: DEBUG: Not logging to a file ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140244796425552 ipapython.dogtag: DEBUG: request GET https://ipa.example.com:443/acme/directory ipapython.dogtag: DEBUG: request body 'timeout=30' ipapython.dogtag: DEBUG: response status 503 ipapython.dogtag: DEBUG: response headers Date: Fri, 23 Apr 2021 16:15:28 GMT Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1k mod_wsgi/4.7.1 Python/3.9 mod_auth_gssapi/1.6.3 Content-Length: 0 Connection: close ipapython.dogtag: DEBUG: response body (decoded): b'' ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpiu_h4o8h', '-N', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt', '-@', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/cert9.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/cert9.db ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/key4.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/key4.db ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/pkcs11.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/pkcs11.txt ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmpiu_h4o8h/pwdfile.txt ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/openssl', 'pkcs8', '-topk8', '-v2', 'aes256', '-v2prf', 'hmacWithSHA256', '-passout', 'file:/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI/XwwsBz56UUCAggA MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCX/iIH2c8hdxyovReBpoAeBIIE 0Of/xRbDjd4NQgPut6ALYVQYLSuRyAi5B43se+aMruUYCb2nt6Sf1p3G7c9jkdLq d5YyIh3WmmAWiiN6U4BZPccdIP2J7mJPsBlXNwlpjlbXpFZ9AZ9xsu83IRpnnt92 XMxlI61/knokXjE4xw2IWIvz1nBNmAjhVaHx/Q3i48pn01DPuJaFf0WSP68c0ejj Is33CfQIhLniZOH6XmPm4igft4i2Ewbpaiey0uSRWtXY9gqfv8oHcHCjubOYg7wp 1kYEVvrRF5X7bBioVoslHevYXzWYDpQ1GIqE+MfoXXvsLbdZqPT+YcYordZFUAx1 UT5GaK+B8Bl54q1MW8IsN8hp+qOk9zauMREiVyGvZ86r+3opWheWgZrYPsEsvudW echdIfZS/WW+G54mLcJnNogzm2m2iIR2tIPUkVKbP3PZL9F1RxtobCPKlb5pLCdw 6SFSerKAj6caq4Gtnu0i5JoXXzpHtMXTnpn5RV0AtQzLfV69us+ck5XsxJFtBAfR KrZGS6O8ijCYSzZIimT4k79JO9p0isgDiLw9GAqqGNp2yVl1aiugmOHNrYllVKe0 ywl2cehS4pivAPD1+Qwm6/zwMNw/Z5O/ZmDKXvq+qSCygBjhKdm6CGVOiAdp4PSi yhzYr5CaeqqhAGh+Aq3HHvzF5vqp7Kk31iwcwXLWzjCBvN8DrLhknYhMG32XX4eQ Mt5A+dP7Qd/6pyX+ca4tc0rWzB+5KRSW5ZBF6MDb1qPW5Djai2lFiekurpfjk+EG STQvkGpFvPKnbD5q0GFPTkXIxtfEkUIPYxiSWGsDL6CHXuiOnqsQC9CdWoeYLNF2 wFt2xC0ULlWkXyOX8waBtcGSxVQvcM/QyBU0ODpIJYxEo4Q7XjRTjvZICS04Z9YW 3yLzxWMY/arhxe3Mcj4GTbeCivm/R/IKpglmLLdoUyXiZjIB3uqVkifVawqCg/OY 4owr5Ytpku7C0ZoWMobjFnn3pJlTtUzWjywEmNK5t94ItDg+LaaT4OTLUbz9IBVD WfGaUPD1KZY/R0bCH63uZewbsfho9XbgpYwrRcvLziKthf3pml6Gf6PaDW64ZhbN f3SkftK08dj2bYUEGgvhbrKmvFY+XiQHf4BELBtlZWv/ogSLmjNSYmp+qUJoWYXf e6LtYEPNnOTUjQj2+fhJuo73LkrD7IaZTm1LvVBOGzg0ZEzDYBws2nxu5UQ5Ys5f 5gFZx0Yld7ojZkTzd/kkWDKTmynWxIVyng/kd/1DuD5o7FdEAe1YtRCEYWqZ4Irv Gi3yDNzYC8SuTWmGHA64oep0PR2Z5Pf/AqpnRXnH9Foejz7wLYbN9TjTBvP51xZF LMMrMwjZX7jzPeaJSCVythsXFPLzf1XH+YzLLH9GWd+lpNPcJ+4MEXprSnwI/2Xh KnwcohTt925PAvj6fsVbpkH0ny8oMhLsb5p6tVVW3TH/LIDKXCv2mjV5EblnTfBE 41BpDPQPzY1Llm4oMMNPv552CD9nwThV4HlY1HRH2q9+UggxKRVe5O6tDBFytSDv y5PfWrQCAKS3Pgzt9mXLztZgDIVXFnMlVVAd+du5mJxLs5DMcJ4PWmSigco0vqLq HaxPC3X+ZiUM08sO0d2QOpQu0iBgFC+oQDepujufeTb3 -----END ENCRYPTED PRIVATE KEY----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=ipa.example.com', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/openssl', 'pkcs12', '-export', '-in', '/tmp/tmp2kyr_mv8', '-out', '/tmp/tmp55rfzyhx', '-passin', 'file:/tmp/tmpiu_h4o8h/pwdfile.txt', '-passout', 'file:/tmp/tmpb495eket', '-certpbe', 'aes-128-cbc', '-keypbe', 'aes-128-cbc'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'sql:/tmp/tmpiu_h4o8h', '-i', '/tmp/tmp55rfzyhx', '-k', '/tmp/tmpiu_h4o8h/pwdfile.txt', '-v', '-w', '/tmp/tmpdmuy4y7d'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=pk12util: PKCS12 IMPORT SUCCESSFUL ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=Certificate Authority,O=EXAMPLE.TEST', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-A', '-n', 'CN=Example-Test-CA-18733', '-t', ',,', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=ipa.example.com u,u,u CN=Certificate Authority,O=EXAMPLE.TEST ,, CN=Example-Test-CA-18733 ,, ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-M', '-n', 'CN=Certificate Authority,O=EXAMPLE.TEST', '-t', 'C,,', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-M', '-n', 'CN=Example-Test-CA-18733', '-t', 'C,,', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-O', '--simple-self-signed', '-n', 'CN=ipa.example.com', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout="CN=Example-Test-CA-18733" [CN=Example-Test-CA-18733] "CN=ipa.example.com" [CN=ipa.example.com] ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=Example-Test-CA-18733', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDITCCAgmgAwIBAgIUSKXOs5Ts26KUUF1PXH87pk0B2vswDQYJKoZIhvcNAQEL BQAwIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNBLTE4NzMzMB4XDTIxMDQyMzE2 MTQxN1oXDTIxMDQyNjE2MTQxN1owIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNB LTE4NzMzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDQ/8v3X5b6d GWVNx1GYxoAeNnNHrOkVeVx40hFwqdy/dOsyFy9MH9IFdgvsmr7Mqw8JUKikPEcT RM6jFzyE8K3XyV7L5bxkKi5Kn8tOypVgUIH78Hx7wMvre35BGVzWlg5icP3f/BY9 XKKFxrAGXJB/JkeE4EiuPO3MgfS5Yan8mvHebpRy4CyFgO6m404+zycxoT9ANWqQ 1T6xE96dmWp9UvEOiF2Mjpo4AZQavqlvwu3n8db14+Cu2VG6I+spEDbQeZ5IK95z ulor7YmOqtGl2aQ1zbe27Ua9vuXpHX8xpaJj11tcYBEGxAtfOpIwaUKNk75SUlV5 XufWxrANCQIDAQABo1MwUTAdBgNVHQ4EFgQU+U09h9DA2IHSeywjsUoHRa0zl5ww HwYDVR0jBBgwFoAU+U09h9DA2IHSeywjsUoHRa0zl5wwDwYDVR0TAQH/BAUwAwEB /zANBgkqhkiG9w0BAQsFAAOCAQEAwyyP13gmLt9XE9KGBsPTcHjL9qd1DkW0g8sQ RYcxt3ZMOvBgXPmfYoExVaN6CvpCDwxfNVLSxVHdU9nLBrEJoetTh6jQ/2JWq/DX DOml9Q8fEO7PnJk/+Bv10cgF+owvkQCanZxk7nq9ZezlE2Wvd1t68coJ4TLGZPf4 PVi13hKVlnhu/d4LqBhj6HGgwlit/D2GlShjjEiLr6VXojNUKTN1LmW1ozxOEXOr rq8c7NvGx3ZWfpthVxuC7xKCi4UOems1PxdkhPnPm2JxL6cqaXayGz1eZu5njSFG OVo+hF6uY8nAFnZpZ/56l9buVCpD7+VH20aVG34u/FTo86KciQ== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=Example-Test-CA-18733', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDITCCAgmgAwIBAgIUSKXOs5Ts26KUUF1PXH87pk0B2vswDQYJKoZIhvcNAQEL BQAwIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNBLTE4NzMzMB4XDTIxMDQyMzE2 MTQxN1oXDTIxMDQyNjE2MTQxN1owIDEeMBwGA1UEAwwVRXhhbXBsZS1UZXN0LUNB LTE4NzMzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDQ/8v3X5b6d GWVNx1GYxoAeNnNHrOkVeVx40hFwqdy/dOsyFy9MH9IFdgvsmr7Mqw8JUKikPEcT RM6jFzyE8K3XyV7L5bxkKi5Kn8tOypVgUIH78Hx7wMvre35BGVzWlg5icP3f/BY9 XKKFxrAGXJB/JkeE4EiuPO3MgfS5Yan8mvHebpRy4CyFgO6m404+zycxoT9ANWqQ 1T6xE96dmWp9UvEOiF2Mjpo4AZQavqlvwu3n8db14+Cu2VG6I+spEDbQeZ5IK95z ulor7YmOqtGl2aQ1zbe27Ua9vuXpHX8xpaJj11tcYBEGxAtfOpIwaUKNk75SUlV5 XufWxrANCQIDAQABo1MwUTAdBgNVHQ4EFgQU+U09h9DA2IHSeywjsUoHRa0zl5ww HwYDVR0jBBgwFoAU+U09h9DA2IHSeywjsUoHRa0zl5wwDwYDVR0TAQH/BAUwAwEB /zANBgkqhkiG9w0BAQsFAAOCAQEAwyyP13gmLt9XE9KGBsPTcHjL9qd1DkW0g8sQ RYcxt3ZMOvBgXPmfYoExVaN6CvpCDwxfNVLSxVHdU9nLBrEJoetTh6jQ/2JWq/DX DOml9Q8fEO7PnJk/+Bv10cgF+owvkQCanZxk7nq9ZezlE2Wvd1t68coJ4TLGZPf4 PVi13hKVlnhu/d4LqBhj6HGgwlit/D2GlShjjEiLr6VXojNUKTN1LmW1ozxOEXOr rq8c7NvGx3ZWfpthVxuC7xKCi4UOems1PxdkhPnPm2JxL6cqaXayGz1eZu5njSFG OVo+hF6uY8nAFnZpZ/56l9buVCpD7+VH20aVG34u/FTo86KciQ== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-V', '-n', 'CN=Example-Test-CA-18733', '-u', 'L', '-e', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-L', '-n', 'CN=ipa.example.com', '-a', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIC0DCCAbgCFCc9MwAk5lUivZzarwqQR4zx7/72MA0GCSqGSIb3DQEBCwUAMCAx HjAcBgNVBAMMFUV4YW1wbGUtVGVzdC1DQS0xODczMzAeFw0yMTA0MjMxNjE0MTda Fw0yMTA0MjYxNjE0MTdaMCkxJzAlBgNVBAMMHmNjLXRvZTQubGFiLmVuZy5icnEu cmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOilqqjv rDORfKDrt21ggtBfb6n0KMvrtWu21ZqWiuKpzDBJso2cdSRXQJ5B//NshUra6Rvq 5xdG6g/6AgC+SnNUGJ5mss/hcaN+YRvsYedoLbsulTPPvG/wBDFcBh0Wv4AdmrLb 4RpMlz66rnifWPLaAzZG0Yav+mynxCSEW9PZu1KKLUn6MlSReE8Wer0HrGyHu4rn Q1IeUdxLzOYDE7utJhmvxwlspvtDqScso9BPfRWsZgDUhrWaP97OPaAmcKbyE8Xi nRIuV9ApUR9BtxizAt7sOttE+2dS+v5EmrDbdhB3wURGhTkF6SiBk760eAt5T8Ji lgTaJ2jUHjyyC7MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAwQdG4UBCJl1YEJ2g 6EFzuKr1DAbRY19eNnxRy/hTOAitOnxHeKw3KgYZUZPzNjpj30CTuClJytfWsqZw NykL+Fnpk7rOhDw+zRMHa/9RyUJqjVIfrwf0MPqLO9h6ac6XxlPJ3d2Lzi/RdRnh +Ssy7QGme5Fz6IpLywXF8ESTdwpYuPKOGoaEt/7URTgWtCHDg8/HWdkn7rzMFJWc zib63xZ/czF1VziVvE2t/7QzxjVKqJ6Wj6eyZtkxsPGQStjrmZYo+nAB22Y6aMRA l+2TpdLCfCTmM389O6JbxNZQJ/HxTlv3+jKQt6PawITRmeZlkBZJgZD1dj/+ox0T ytB6hg== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiu_h4o8h', '-V', '-n', 'CN=ipa.example.com', '-u', 'V', '-e', '-f', '/tmp/tmpiu_h4o8h/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 129, in run self.replace_http_cert() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 167, in replace_http_cert cert, key, ca_cert = self.load_pkcs12( File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_certinstall.py", line 209, in load_pkcs12 pkcs12_file, pin, ca_cert = installutils.load_pkcs12( File "/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line 938, in load_pkcs12 nssdb.verify_server_cert_validity(key_nickname, host_name) File "/usr/lib/python3.9/site-packages/ipapython/certdb.py", line 977, in verify_server_cert_validity cert.match_hostname(hostname) File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 390, in match_hostname values = self.san_a_label_dns_names File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 370, in san_a_label_dns_names gns = self.__pyasn1_get_san_general_names() File "/usr/lib/python3.9/site-packages/ipalib/x509.py", line 354, in __pyasn1_get_san_general_names extensions = self.__get_pyasn1_field('extensions') or [] File "/usr/lib/python3.9/site-packages/pyasn1/type/base.py", line 572, in __bool__ return bool(self.components) File "/usr/lib/python3.9/site-packages/pyasn1/type/univ.py", line 1960, in components for idx in sorted(self._componentValues)] File "/usr/lib/python3.9/site-packages/pyasn1/type/base.py", line 214, in plug raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema object' % name) ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: Attempted "__iter__" operation on ASN.1 schema object ipapython.admintool: ERROR: Attempted "__iter__" operation on ASN.1 schema object ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Certificate: Data: Version: 1 (0x0) Serial Number: 27:3d:33:00:24:e6:55:22:bd:9c:da:af:0a:90:47:8c:f1:ef:fe:f6 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Example-Test-CA-18733 Validity Not Before: Apr 23 16:14:17 2021 GMT Not After : Apr 26 16:14:17 2021 GMT Subject: CN = ipa.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:e8:a5:aa:a8:ef:ac:33:91:7c:a0:eb:b7:6d:60: 82:d0:5f:6f:a9:f4:28:cb:eb:b5:6b:b6:d5:9a:96: 8a:e2:a9:cc:30:49:b2:8d:9c:75:24:57:40:9e:41: ff:f3:6c:85:4a:da:e9:1b:ea:e7:17:46:ea:0f:fa: 02:00:be:4a:73:54:18:9e:66:b2:cf:e1:71:a3:7e: 61:1b:ec:61:e7:68:2d:bb:2e:95:33:cf:bc:6f:f0: 04:31:5c:06:1d:16:bf:80:1d:9a:b2:db:e1:1a:4c: 97:3e:ba:ae:78:9f:58:f2:da:03:36:46:d1:86:af: fa:6c:a7:c4:24:84:5b:d3:d9:bb:52:8a:2d:49:fa: 32:54:91:78:4f:16:7a:bd:07:ac:6c:87:bb:8a:e7: 43:52:1e:51:dc:4b:cc:e6:03:13:bb:ad:26:19:af: c7:09:6c:a6:fb:43:a9:27:2c:a3:d0:4f:7d:15:ac: 66:00:d4:86:b5:9a:3f:de:ce:3d:a0:26:70:a6:f2: 13:c5:e2:9d:12:2e:57:d0:29:51:1f:41:b7:18:b3: 02:de:ec:3a:db:44:fb:67:52:fa:fe:44:9a:b0:db: 76:10:77:c1:44:46:85:39:05:e9:28:81:93:be:b4: 78:0b:79:4f:c2:62:96:04:da:27:68:d4:1e:3c:b2: 0b:b3 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption c1:07:46:e1:40:42:26:5d:58:10:9d:a0:e8:41:73:b8:aa:f5: 0c:06:d1:63:5f:5e:36:7c:51:cb:f8:53:38:08:ad:3a:7c:47: 78:ac:37:2a:06:19:51:93:f3:36:3a:63:df:40:93:b8:29:49: ca:d7:d6:b2:a6:70:37:29:0b:f8:59:e9:93:ba:ce:84:3c:3e: cd:13:07:6b:ff:51:c9:42:6a:8d:52:1f:af:07:f4:30:fa:8b: 3b:d8:7a:69:ce:97:c6:53:c9:dd:dd:8b:ce:2f:d1:75:19:e1: f9:2b:32:ed:01:a6:7b:91:73:e8:8a:4b:cb:05:c5:f0:44:93: 77:0a:58:b8:f2:8e:1a:86:84:b7:fe:d4:45:38:16:b4:21:c3: 83:cf:c7:59:d9:27:ee:bc:cc:14:95:9c:ce:26:fa:df:16:7f: 73:31:75:57:38:95:bc:4d:ad:ff:b4:33:c6:35:4a:a8:9e:96: 8f:a7:b2:66:d9:31:b0:f1:90:4a:d8:eb:99:96:28:fa:70:01: db:66:3a:68:c4:40:97:ed:93:a5:d2:c2:7c:24:e6:33:7f:3d: 3b:a2:5b:c4:d6:50:27:f1:f1:4e:5b:f7:fa:32:90:b7:a3:da: c0:84:d1:99:e6:65:90:16:49:81:90:f5:76:3f:fe:a3:1d:13: ca:d0:7a:86
The same failure happens on Fedora 34 with
freeipa-server-4.9.3-2.fc34.x86_64 python3-pyasn1-0.4.8-4.fc34.noarch
as well.
On RHEL 8.4 the same steps pass. The package versions there are
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64 python3-pyasn1-0.3.7-6.el8.noarch
IPA should consider this certificate as invalid. It's a v1 cert and misses several mandatory extensions.
What extensions?
I guess it's completely fine for FreeIPA to reject certificates that it deems inappropriate. But the rejection message should state the reason more clearly than
Attempted "__iter__" operation on ASN.1 schema object
That gives the user no guidance how to fix the problem.
Agreed. Assumptions are made about the available extensions so you get this less-than-useful exception. In fact a big try/except should probably be added where we say invalid cert if it is unparseable, as a fall-back.
Literally all of them :) It's a X509v1 cert and does not have any X509v3 extension. We should check for the version number and refuse v1 and v2 certs.
It's not all of them. I've just verified that merely adding one of X509v3 Basic Constraints (CA:FALSE), X509v3 Extended Key Usage, or X509v3 Key Usage makes ipa-server-certinstall pass.
I agree that we should reject X.509 v1 certificates, failing with a descriptive error message.
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/5833
master:
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.