#9005 Incompatibilities against python-cryptography 35+
Closed: fixed 7 months ago by abbra. Opened 7 months ago by slev.

With recently released python-cryptography 35+, the configuration of replica fails with:

2021-10-02T05:34:27Z DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO'
2021-10-02T05:34:28Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-10-02T05:34:29Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-10-02T05:34:30Z DEBUG certmonger request is in state 'SUBMITTING'
2021-10-02T05:34:32Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-10-02T05:34:32Z DEBUG Cert request 20211002053427 failed: CA_UNREACHABLE (Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)
2021-10-02T05:34:32Z DEBUG Giving up on cert request 20211002053427
2021-10-02T05:34:32Z DEBUG Traceback (most recent call last):
  File "/usr/lib64/python3/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib64/python3/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib64/python3/site-packages/ipaserver/install/dsinstance.py", line 856, in __enable_ssl
    certmonger.request_and_wait_for_cert(
  File "/usr/lib64/python3/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert
    raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)

2021-10-02T05:34:32Z DEBUG   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://master1.ipa.test/ipa/json failed request, will retry: 903 (an internal error has occurred).)

server's httpd log:

[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ipa: ERROR: non-public: ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["0", "Extension::critical"] }
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] Traceback (most recent call last):
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipaserver/rpcserver.py", line 405, in wsgi_execute
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     result = command(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 471, in __call__
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     return self.__do_call(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 499, in __do_call
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     ret = self.run(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipalib/frontend.py", line 821, in run
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     return self.execute(*args, **options)
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]   File "/usr/lib64/python3/site-packages/ipaserver/plugins/cert.py", line 719, in execute
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024]     ext_san = csr.extensions.get_extension_for_oid(
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["0", "Extension::critical"] }
[wsgi:error] [pid 4733:tid 140194794214976] [remote 2001:db8:1:1::2:47024] ipa: INFO: [jsonserver_kerb] host/replica1.ipa.test@IPA.TEST: cert_request('MIIDqzCCApMCAQAwLzERMA8GA1UEChMISVBBLlRFU1QxGjAYBgNVBAMTEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5TzQZpKgWu4v4LmX44xRCgA2DcvY4D7Lw/Zyr3uch54gvAUWi2oi/PYVixJQNVHfZIckgrPRO+gtMaFsXuIHgWHjy2TdFNOV5Uav3W07fl28nngmAWd8Sq4W+i7vnBMp62sztE0nomTUe/52D+V3pggCzqVlvFvAg8IqxyavDQ974I13V2SuvJVJ7EnlaCnNZPRXL1ICnszKfIhoLWH8cbBaxHCjZkHEInu87qb9OHNpevrz5OJMX2HG14Ic15I52l0YVTBQQr1AQFGDNpSqt+NeoCSiY9F7nhEXdkgvhk3rMV2nk2XJut9YIsEJYo4SK0pBTxdSUYHsyZqrP/cdFwIDAQABoIIBNTAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCAQoGCSqGSIb3DQEJDjGB/DCB+TCBkgYDVR0RAQEABIGHMIGEghFyZXBsaWNhMS5pcGEudGVzdKAvBgorBgEEAYI3FAIDoCEMH2xkYXAvcmVwbGljYTEuaXBhLnRlc3RASVBBLlRFU1SgPgYGKwYBBQICoDQwMqAKGwhJUEEuVEVTVKEkMCKgAwIBAaEbMBkbBGxkYXAbEXJlcGxpY2ExLmlwYS50ZXN0MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFPtLvk2RcgKwKfIo0Cp8Pvp7Xu3wMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEA1jEX9uXSAvDjP6ZRxT5Wo2DWy4yqJx5+tO21jrpRgCKuowUhwyzEFiA/WDQ/vy9XGqvcRaRpkdbwrcmefvUCgprOBeNjR1F2aKTHngaH4WbWd4BI0lR0Z1WZuvL2fRGDvOCQAGNVyGvtxV+15olWq7386fEe3PAHF9osXpcH97KifL1+eG2Vkaqo4yylUGme/Rin4vGzxkjGYE+O/ugxtgil5VPs0nrJx0bFWaMLK9yErv9O1V3JSKoLn+yAKxrYQuMBl1nqpAj9P4NWdFsGl3Ubpn4vwitwaq9pkEu0K1Z+CP5FXOyFsgEGKncL4gub8IQC720B25A8YowGTk3BNw==', profile_id='caIPAserviceCert', principal='ldap/replica1.ipa.test@IPA.TEST', add=True): InternalError

The cryptography changelog https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#3500---2021-09-29
warns about:

BACKWARDS INCOMPATIBLE: The :doc:/x509/index PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser.
BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these.
BACKWARDS INCOMPATIBLE: Invalid ASN.1 found during :doc:/x509/index parsing will raise an error on initial parse rather than when the invalid field is accessed.


Metadata Update from @cheimes:
- Issue assigned to cheimes

7 months ago

This may be a bug in upstream. I'm investigation.

Parsing fails because certmonger creates invalid DER for extensions. Several extensions have critical=FALSE. Since FALSE is the default, the value must not be encoded.

cm_certext_cert_extension_template has a buggy definition of the critical field. It must be SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN.

The original issue has gone with https://pagure.io/certmonger/pull-request/224, but there are other ones.

@cheimes submitted a PR to python-cryptography to support certmonger's use of an NSS template with explicitly specified 'default' value: https://github.com/alex/rust-asn1/pull/203

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Mmm, I don't know what the openqa tests are, but I have many failures.

Ok, I will open another issue, this one is fixed.

Note that F35 is in a release freeze right now. There is a certmonger update that will eventually land in Fedora 35 stable and fix this. Rawhide is updated already and OpenQA is running a subset of FreeIPA tests including replica setup.

Login to comment on this ticket.

Metadata
Attachments 1
Attached 7 months ago View Comment