freeipa

Clone
Source Code
GIT

#9005 Incompatibilities against python-cryptography 35+
Closed: fixed 7 months ago by abbra. Opened 7 months ago by slev.

Closed: fixed
Reopen Issue

With recently released python-cryptography 35+, the configuration of replica fails with:

2021-10-02T05:34:27Z DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO'
2021-10-02T05:34:28Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-10-02T05:34:29Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-10-02T05:34:30Z DEBUG certmonger request is in state 'SUBMITTING'
2021-10-02T05:34:32Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-10-02T05:34:32Z DEBUG Cert request 20211002053427 failed: CA_UNREACHABLE (Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)
2021-10-02T05:34:32Z DEBUG Giving up on cert request 20211002053427
2021-10-02T05:34:32Z DEBUG Traceback (most recent call last):
  File "/usr/lib64/python3/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib64/python3/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib64/python3/site-packages/ipaserver/install/dsinstance.py", line 856, in __enable_ssl
    certmonger.request_and_wait_for_cert(
  File "/usr/lib64/python3/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert
    raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)

2021-10-02T05:34:32Z DEBUG   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)

server's httpd log:

[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ipa: ERROR: non-public: ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["0", "Extension::critical"] }
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] Traceback (most recent call last):
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipaserver/rpcserver.py", line 405, in wsgi_execute
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     result = command(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 471, in __call__
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     return self.__do_call(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 499, in __do_call
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     ret = self.run(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 821, in run
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     return self.execute(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipaserver/plugins/cert.py", line 719, in execute
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     ext_san = csr.extensions.get_extension_for_oid(
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["0", "Extension::critical"] }
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ipa: INFO: [jsonserver_kerb] host/replica1.ipa.test@IPA.TEST: cert_request('MIIDqzCCApMCAQAwLzERMA8GA1UEChMISVBBLlRFU1QxGjAYBgNVBAMTEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5TzQZpKgWu4v4LmX44xRCgA2DcvY4D7Lw/Zyr3uch54gvAUWi2oi/PYVixJQNVHfZIckgrPRO+gtMaFsXuIHgWHjy2TdFNOV5Uav3W07fl28nngmAWd8Sq4W+i7vnBMp62sztE0nomTUe/52D+V3pggCzqVlvFvAg8IqxyavDQ974I13V2SuvJVJ7EnlaCnNZPRXL1ICnszKfIhoLWH8cbBaxHCjZkHEInu87qb9OHNpevrz5OJMX2HG14Ic15I52l0YVTBQQr1AQFGDNpSqt+NeoCSiY9F7nhEXdkgvhk3rMV2nk2XJut9YIsEJYo4SK0pBTxdSUYHsyZqrP/cdFwIDAQABoIIBNTAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCAQoGCSqGSIb3DQEJDjGB/DCB+TCBkgYDVR0RAQEABIGHMIGEghFyZXBsaWNhMS5pcGEudGVzdKAvBgorBgEEAYI3FAIDoCEMH2xkYXAvcmVwbGljYTEuaXBhLnRlc3RASVBBLlRFU1SgPgYGKwYBBQICoDQwMqAKGwhJUEEuVEVTVKEkMCKgAwIBAaEbMBkbBGxkYXAbEXJlcGxpY2ExLmlwYS50ZXN0MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFPtLvk2RcgKwKfIo0Cp8Pvp7Xu3wMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEA1jEX9uXSAvDjP6ZRxT5Wo2DWy4yqJx5+tO21jrpRgCKuowUhwyzEFiA/WDQ/vy9XGqvcRaRpkdbwrcmefvUCgprOBeNjR1F2aKTHngaH4WbWd4BI0lR0Z1WZuvL2fRGDvOCQAGNVyGvtxV+15olWq7386fEe3PAHF9osXpcH97KifL1+eG2Vkaqo4yylUGme/Rin4vGzxkjGYE+O/ugxtgil5VPs0nrJx0bFWaMLK9yErv9O1V3JSKoLn+yAKxrYQuMBl1nqpAj9P4NWdFsGl3Ubpn4vwitwaq9pkEu0K1Z+CP5FXOyFsgEGKncL4gub8IQC720B25A8YowGTk3BNw==', profile_id='caIPAserviceCert', principal='ldap/replica1.ipa.test@IPA.TEST', add=True): InternalError

The cryptography changelog https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#3500---2021-09-29
warns about:

BACKWARDS INCOMPATIBLE: The :doc:/x509/index PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser.
BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these.
BACKWARDS INCOMPATIBLE: Invalid ASN.1 found during :doc:/x509/index parsing will raise an error on initial parse rather than when the invalid field is accessed.

Metadata Update from @cheimes:
- Issue assigned to cheimes
7 months ago

This may be a bug in upstream. I'm investigation.

Sure, thank you.

Parsing fails because certmonger creates invalid DER for extensions. Several extensions have critical=FALSE. Since FALSE is the default, the value must not be encoded.

cm_certext_cert_extension_template has a buggy definition of the critical field. It must be SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN.

The original issue has gone with https://pagure.io/certmonger/pull-request/224, but there are other ones.

@cheimes submitted a PR to python-cryptography to support certmonger's use of an NSS template with explicitly specified 'default' value: https://github.com/alex/rust-asn1/pull/203
Edited 7 months ago by rcritten

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 months ago

Mmm, I don't know what the openqa tests are, but I have many failures.

Ok, I will open another issue, this one is fixed.

Note that F35 is in a release freeze right now. There is a certmonger update that will eventually land in Fedora 35 stable and fix this. Rawhide is updated already and OpenQA is running a subset of FreeIPA tests including replica setup.

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Attachments 1
2021-10-13_15-56-13.png
Attached 7 months ago View Comment
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.