Ubuntu
freeipa package

pyasn1 error during certificate renewal

Bug #1902458 reported by Shaav

This bug report will be marked for expiration in 21 days if no further activity occurs. (find out why)

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

moving from https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774

ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2
python-pyasn1: 0.4.2-3
python-pyasn1-modules: 0.2.1-0.2

Certmonger failed to renew certs on time and they expired. Rolled back the date as per various online suggestions but continually receive the same "903 (RPC failed at server. an internal error has occurred)". Apache error log shows a pyasn1 error (getcert list and apache log excerpt below).

Certs are being generated and appear in the GUI under Authentication > Certificates. 2 new certificates are created each time certmonger tries. for <email address hidden> and <email address hidden>. Notably, trying to view the generated certificates in the gui generates the same 903 / pyasn1 error.

Apache:
-----
[Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
[Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last):
[Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options)
[Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__
[Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__do_call(*args, **options)
[Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call
[Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options)
[Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run
[Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options)
[Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute
[Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj._parse(result, all)
[Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse
[Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_general_names)
[Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names
[Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names()
[Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names
[Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0]
[Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__
[Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
[Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
[Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] <email address hidden>: cert_request(u'MIIDozCCAosCAQAwNDEVMBMGA1UECgwMU0lNUExZV1MuQ09NMRswGQYDVQQDExJpcGEwMS5zaW1wbHl3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaVNd4cdKXfUZk1lwc++sU64iYNoLn7kuN2JWYrt0smsAJrAbKBDIwsnTwmlM16xg/ioibnweTU3+0tYvTftQh3gZMy46hCzdOgyUsjsFvmJS2QklyBM2SPspaIuXJojR87D+AmfsFKAC9EO4+ZjnTRoa32UvjTNCGJwFLn7TAM26iSrWagWza717tTJHwX2Js90hR1RxEdU1TFo/3Thj3r1oBeLJYxoyh7IQeMrKYahmVAAch2KnkAgkDAzb4XNKMxOqoF1tV+pPzk9m1iGRud8lf4QmjIrAxdHM7igXTSAL6ALrD/5w+gw+RNjJmeEb2JyUAd+VJv7s/q1ZKSpQdAgMBAAGgggEoMCsGCSqGSIb3DQEJFDEeHhwAMgAwADEAOAAxADAAMgAxADAAOAAzADcAMgA0MIH4BgkqhkiG9w0BCQ4xgeowgecwfwYDVR0RAQEABHUwc6AwBgorBgEEAYI3FAIDoCIMIGtyYnRndC9TSU1QTFlXUy5DT01AU0lNUExZV1MuQ09NoD8GBisGAQUCAqA1MDOgDhsMU0lNUExZV1MuQ09NoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxTSU1QTFlXUy5DT00wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUwwx6Pted7FRZ4JUOLne9svpuVCwwNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAH6kQREhM1h+Plpzqcn80+UO/HtExe+JQiXewyIc4CEBSvZFb7nC7bF0aAGgzV4lJQyInbBNCRJHz7J2BUctrMimdnZsL56iz3e/HHOpcAMagmlco5rpxVnvBbSSzrYrH5NQa+8FdbjLT50LP3g3MEjegIdjDG/n9+Mh6vlEhi6dAzLeRk60pqW8m4FdWYd9mjDmEm3uaC/v1sUwjKNq8XdGuu+ZICw3nTPA3/1vDAE5CB0m5g6lN1jGth8f/eLHm9DEAVUOw5b+1xYoGCwkmG8/l2Z2MgIwIxQrcKggzZV/gzOeETzF62tSjABCDZV1rIWUNdNSAfSlgpbO1krylw0=', profile_id=u'KDCs_PKINIT_Certs', <email address hidden>', add=True, version=u'2.51'): InternalError
-----

getcert list:
-----
Number of certificates and requests being tracked: 9.
Request ID '20181021083324':
 status: MONITORING
 stuck: no
 key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
 certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=IPA RA,O=MYREALM.COM
 expires: 2022-09-02 02:33:38 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
 post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
 track: yes
 auto-renew: yes
Request ID '20181021083404':
 status: MONITORING
 stuck: no
 key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
 certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=localhost
 expires: 2022-09-05 12:15:19 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20181021083405':
 status: NEED_CSR_GEN_TOKEN
 stuck: yes
 key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
 certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=localhost
 expires: 2020-10-13 12:14:21 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20181021083406':
 status: NEED_CSR_GEN_TOKEN
 stuck: yes
 key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
 certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=localhost
 expires: 2020-10-13 12:15:01 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20181021083407':
 status: NEED_CSR_GEN_TOKEN
 stuck: yes
 key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
 certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=localhost
 expires: 2020-10-10 02:34:28 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20181021083408':
 status: NEED_CSR_GEN_TOKEN
 stuck: yes
 key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
 certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=localhost
 expires: 2020-10-13 12:14:29 MDT
 key usage: digitalSignature,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20181021083613':
 status: CA_UNREACHABLE
 ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
 stuck: no
 key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt'
 certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=ipa01.mydomain.com,O=MYREALM.COM
 expires: 2020-10-21 02:36:13 MDT
 dns: ipa01.mydomain.com
 principal name: <email address hidden>
 key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib/ipa/certmonger/restart_dirsrv MYREALM-COM
 track: yes
 auto-renew: yes
Request ID '20181021083714':
 status: NEED_CSR_GEN_PIN
 stuck: yes
 key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA'
 certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
 CA: IPA
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=ipa01.mydomain.com,O=MYREALM.COM
 expires: 2020-10-21 02:37:17 MDT
 dns: ipa01.mydomain.com
 principal name: <email address hidden>
 key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib/ipa/certmonger/restart_httpd
 track: yes
 auto-renew: yes
Request ID '20181021083724':
 status: CA_UNREACHABLE
 ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
 stuck: no
 key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
 certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
 CA: IPA
 issuer: CN=Certificate Authority,O=MYREALM.COM
 subject: CN=ipa01.mydomain.com,O=MYREALM.COM
 expires: 2020-10-21 02:37:25 MDT
 principal name: <email address hidden>
 key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-pkinit-KPKdc
 pre-save command:
 post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
 track: yes
 auto-renew: yes

Revision history for this message
Shaav (shaav) wrote :

I did finally track down the problem.

in the most recent version of x509.py, in the definition of '__pyasn1_gen_san_general_names' (about line 350)

there is a comment:

# pyasn1 <= 0.3.7 needs explicit unwrap of ANY container
# see https://pagure.io/freeipa/issue/7685

Apparently > 0.3.7 needs to *not* be unwrapped (I don't know what that means) but in my version of x509.py changing line 349:

der = decoder.decode(ext['extnValue'], asn1Spec=univ.OctetString())[0]
>
 der = ext['extnValue']

fixed the problem.

In case someone else comes across this.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Please send your findings upstream. They say that this was tested with 0.3.7 and 0.4.4, so it's a bit surprising if it breaks here.

Changed in freeipa (Ubuntu):
status: New → Incomplete
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

oh, this is an old bug.. mind testing on noble/24.04 when possible? :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.