freeipa

Clone
Source Code
GIT

#8880 CA_less ipa-server-install fails if CA cert subject contains non ascii chars
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

Closed: fixed
Reopen Issue

Issue

In a CA less setup, if the CA certificate subject contains non-ASCII characters, ipa-server-install fails with a UnicodeDecodeError.

Steps to Reproduce

  1. Create a CA with subject CN=CA,O=España
  2. With this CA, create http and dirsrv certificates CN=server.ipa.test,O=España
  3. install the server with ipa-server-install --http-cert-file .. --dirsrv-cert-file .. --ca-cert-file

Actual behavior

ipa-server-install fails when configuring SSL for HTTPd:

Configuring the web interface (httpd)
  [1/20]: stopping httpd
  [2/20]: backing up ssl.conf
  [3/20]: disabling nss.conf
  [4/20]: configuring mod_ssl certificate paths
  [5/20]: setting mod_ssl protocol list
  [6/20]: configuring mod_ssl log directory
  [7/20]: disabling mod_ssl OCSP
  [8/20]: adding URL rewriting rules
  [9/20]: configuring httpd
  [10/20]: setting up httpd keytab
  [11/20]: configuring Gssproxy
  [12/20]: setting up ssl
  [error] UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 67: invalid continuation byte
'utf-8' codec can't decode byte 0xd1 in position 67: invalid continuation byte
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected behavior

The installation should succeed

Version/Release/Distribution

freeipa-server-4.9.3-4.fc34.x86_64
freeipa-client-4.9.3-4.fc34.x86_64
389-ds-base-2.0.5-1.fc34.x86_64
pki-ca-10.10.5-6.fc34.noarch
krb5-server-1.19.1-3.fc34.x86_64

Additional info:

Traceback:

2021-06-09T16:43:35Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 331, in __setup_ssl
    p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/certs.py", line 106, in pkcs12_to_certkeys
    pems = ipautil.run(args, capture_output=True).raw_output
  File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 585, in run
    output = stdout.decode(encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 67: invalid continuation byte

Metadata Update from @frenaud:
- Issue assigned to frenaud
2 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5823
2 years ago

master:

  • fb74866 CA-less install: non-ASCII chars in CA cert subject
  • 0faddc9 ipatests: use non-ascii chars in CA-less install

ipa-4-9:

  • 7b278b6 CA-less install: non-ASCII chars in CA cert subject
  • 4b040e1 ipatests: use non-ascii chars in CA-less install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1973023
2 years ago

Issue linked to Bugzilla: Bug 1973023

Issue linked to Bugzilla: Bug 1973024

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1973023, https://bugzilla.redhat.com/show_bug.cgi?id=1973024 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1973023)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/5823
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1973023, https://bugzilla.redhat.com/show_bug.cgi?id=1973024
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.