The nightly test test_acme.py::TestACME::test_certbot_certonly_standalone is failing when the repository updates-testing is enabled. See PR #2279 with the following logs and report:
test_acme.py::TestACME::test_certbot_certonly_standalone
self = <ipatests.test_integration.test_acme.TestACME object at 0x7faaa47b8890> @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available') def test_certbot_certonly_standalone(self): > certbot_standalone_cert(self.clients[0], self.acme_server) test_integration/test_acme.py:262: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/test_acme.py:127: in certbot_standalone_cert host.run_command( _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipatests.pytest_ipa.integration.host.Host client0.ipa.test (client)> argv = ['certbot', '--server', 'https://ipa-ca.ipa.test/acme/directory', 'certonly', '--domain', 'client0.ipa.test', ...] set_env = True, stdin_text = None, log_stdout = True, raiseonerr = True cwd = None, bg = False, encoding = 'utf-8', ok_returncode = 0 def run_command(self, argv, set_env=True, stdin_text=None, log_stdout=True, raiseonerr=True, cwd=None, bg=False, encoding='utf-8', ok_returncode=0): """Wrapper around run_command to log stderr on raiseonerr=True :param ok_returncode: return code considered to be correct, you can pass an integer or sequence of integers """ result = super().run_command( argv, set_env=set_env, stdin_text=stdin_text, log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg, encoding=encoding ) # in FIPS mode SSH may print noise to stderr, remove the string # "FIPS mode initialized" + optional newline. result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes) try: result_ok = result.returncode in ok_returncode except TypeError: result_ok = result.returncode == ok_returncode if not result_ok and raiseonerr: result.log.error('stderr: %s', result.stderr_text) > raise subprocess.CalledProcessError( result.returncode, argv, result.stdout_text, result.stderr_text ) E subprocess.CalledProcessError: Command '['certbot', '--server', 'https://ipa-ca.ipa.test/acme/directory', 'certonly', '--domain', 'client0.ipa.test', '--standalone']' returned non-zero exit status 1. pytest_ipa/integration/host.py:202: CalledProcessError ------------------------------Captured stderr call------------------------------ ipa: ERROR: stderr: Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred: acme.errors.ClientError: <Response [500]> Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Test scenario: - configure ipa server - enable ACME with ipa-acme-manage enable on the server - register the client with certbot --server https://ipa-ca.ipa.test/acme/directory register -m nobody@example.test --agree-tos --no-eff-email - stop httpd on the client - request a cert on the client with certbot --server https://ipa-ca.ipa.test/acme/directory certonly --domain client.ipa.test --standalone
ipa-acme-manage enable
certbot --server https://ipa-ca.ipa.test/acme/directory register -m nobody@example.test --agree-tos --no-eff-email
certbot --server https://ipa-ca.ipa.test/acme/directory certonly --domain client.ipa.test --standalone
The request fails with
Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for client0.ipa.test An unexpected error occurred: acme.errors.ClientError: <Response [500]> Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. Exit code: 1
The logs on the client show the response received from the server:
org.jboss.resteasy.spi.UnhandledException: java.lang.Exception: Unable to generate certificate: Key Type RSA Not Matched
Installed packages: dogtag-pki-server-11.2.0-2.fc37.noarch openssl-3.0.5-3.fc37.x86_64 crypto-policies-20220815-1.gite4ed860.fc37.noarch tomcat-9.0.68-1.fc37.noarch
Metadata Update from @frenaud: - Issue tagged with: test-failure
The issue looks related to certbot update: https://bodhi.fedoraproject.org/updates/FEDORA-2022-aa1ab5fd99
With an old certbot package (1.32.0-1.fc37), the log in /var/log/letsencrypt/letsencrypt.log shows that the key is an RSA key:
certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
But with the new certbot package, the key is EDCSA:
certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Opening an issue against pki, for them to investigate if their acme server supports ECDSA keys: https://github.com/dogtagpki/pki/issues/4273
Metadata Update from @frenaud: - Issue tagged with: tracker
Metadata Update from @frenaud: - Custom field changelog adjusted to With Certbot update to 2.0.0, Certbot defaults to ECDSA certificate private keys for all new certificates. PKI ACME cert profile supports only rsa private keys, meaning that the key type needs to be forced to rsa when requesting an ACME certificate, using certbot --key-type rsa [...]
master:
ipa-4-9:
ipa-4-10:
Log in to comment on this ticket.