← Back to team overview

freeipa team mailing list archive

[Bug 1902458] Re: pyasn1 error during certificate renewal

 

Please send your findings upstream. They say that this was tested with
0.3.7 and 0.4.4, so it's a bit surprising if it breaks here.

** Changed in: freeipa (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1902458

Title:
  pyasn1 error during certificate renewal

Status in freeipa package in Ubuntu:
  Incomplete

Bug description:
  moving from
  https://answers.launchpad.net/ubuntu/+source/freeipa/+question/693774

  ubuntu 18.04, 4.7.0~pre1+git20180411-2ubuntu2
  python-pyasn1: 0.4.2-3
  python-pyasn1-modules: 0.2.1-0.2

  Certmonger failed to renew certs on time and they expired. Rolled back
  the date as per various online suggestions but continually receive the
  same "903 (RPC failed at server. an internal error has occurred)".
  Apache error log shows a pyasn1 error (getcert list and apache log
  excerpt below).

  Certs are being generated and appear in the GUI under Authentication >
  Certificates. 2 new certificates are created each time certmonger
  tries. for krbtgt/MYREALM.COM@xxxxxxxxxxx and
  ldap/ipa01.mydomain.com@xxxxxxxxxxx. Notably, trying to view the
  generated certificates in the gui generates the same 903 / pyasn1
  error.

  
  Apache:
  -----
  [Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
  [Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last):
  [Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
  [Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options)
  [Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__
  [Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__do_call(*args, **options)
  [Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call
  [Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options)
  [Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run
  [Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options)
  [Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute
  [Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj._parse(result, all)
  [Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse
  [Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_general_names)
  [Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names
  [Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__pyasn1_get_san_general_names()
  [Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names
  [Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=univ.OctetString())[0]
  [Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__
  [Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
  [Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
  [Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] host/ipa01.mydomain.com@xxxxxxxxxxx: cert_request(u'MIIDozCCAosCAQAwNDEVMBMGA1UECgwMU0lNUExZV1MuQ09NMRswGQYDVQQDExJpcGEwMS5zaW1wbHl3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaVNd4cdKXfUZk1lwc++sU64iYNoLn7kuN2JWYrt0smsAJrAbKBDIwsnTwmlM16xg/ioibnweTU3+0tYvTftQh3gZMy46hCzdOgyUsjsFvmJS2QklyBM2SPspaIuXJojR87D+AmfsFKAC9EO4+ZjnTRoa32UvjTNCGJwFLn7TAM26iSrWagWza717tTJHwX2Js90hR1RxEdU1TFo/3Thj3r1oBeLJYxoyh7IQeMrKYahmVAAch2KnkAgkDAzb4XNKMxOqoF1tV+pPzk9m1iGRud8lf4QmjIrAxdHM7igXTSAL6ALrD/5w+gw+RNjJmeEb2JyUAd+VJv7s/q1ZKSpQdAgMBAAGgggEoMCsGCSqGSIb3DQEJFDEeHhwAMgAwADEAOAAxADAAMgAxADAAOAAzADcAMgA0MIH4BgkqhkiG9w0BCQ4xgeowgecwfwYDVR0RAQEABHUwc6AwBgorBgEEAYI3FAIDoCIMIGtyYnRndC9TSU1QTFlXUy5DT01AU0lNUExZV1MuQ09NoD8GBisGAQUCAqA1MDOgDhsMU0lNUExZV1MuQ09NoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxTSU1QTFlXUy5DT00wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUwwx6Pted7FRZ4JUOLne9svpuVCwwNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAH6kQREhM1h+Plpzqcn80+UO/HtExe+JQiXewyIc4CEBSvZFb7nC7bF0aAGgzV4lJQyInbBNCRJHz7J2BUctrMimdnZsL56iz3e/HHOpcAMagmlco5rpxVnvBbSSzrYrH5NQa+8FdbjLT50LP3g3MEjegIdjDG/n9+Mh6vlEhi6dAzLeRk60pqW8m4FdWYd9mjDmEm3uaC/v1sUwjKNq8XdGuu+ZICw3nTPA3/1vDAE5CB0m5g6lN1jGth8f/eLHm9DEAVUOw5b+1xYoGCwkmG8/l2Z2MgIwIxQrcKggzZV/gzOeETzF62tSjABCDZV1rIWUNdNSAfSlgpbO1krylw0=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx', add=True, version=u'2.51'): InternalError
  -----

  getcert list:
  -----
  Number of certificates and requests being tracked: 9.
  Request ID '20181021083324':
   status: MONITORING
   stuck: no
   key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
   certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=IPA RA,O=MYREALM.COM
   expires: 2022-09-02 02:33:38 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
   post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
   track: yes
   auto-renew: yes
  Request ID '20181021083404':
   status: MONITORING
   stuck: no
   key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
   certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=localhost
   expires: 2022-09-05 12:15:19 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
   track: yes
   auto-renew: yes
  Request ID '20181021083405':
   status: NEED_CSR_GEN_TOKEN
   stuck: yes
   key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
   certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=localhost
   expires: 2020-10-13 12:14:21 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
   track: yes
   auto-renew: yes
  Request ID '20181021083406':
   status: NEED_CSR_GEN_TOKEN
   stuck: yes
   key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
   certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=localhost
   expires: 2020-10-13 12:15:01 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
   track: yes
   auto-renew: yes
  Request ID '20181021083407':
   status: NEED_CSR_GEN_TOKEN
   stuck: yes
   key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
   certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=localhost
   expires: 2020-10-10 02:34:28 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
   track: yes
   auto-renew: yes
  Request ID '20181021083408':
   status: NEED_CSR_GEN_TOKEN
   stuck: yes
   key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
   certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
   CA: dogtag-ipa-ca-renew-agent
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=localhost
   expires: 2020-10-13 12:14:29 MDT
   key usage: digitalSignature,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
   track: yes
   auto-renew: yes
  Request ID '20181021083613':
   status: CA_UNREACHABLE
   ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
   stuck: no
   key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt'
   certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS Certificate DB'
   CA: IPA
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=ipa01.mydomain.com,O=MYREALM.COM
   expires: 2020-10-21 02:36:13 MDT
   dns: ipa01.mydomain.com
   principal name: ldap/ipa01.mydomain.com@xxxxxxxxxxx
   key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command:
   post-save command: /usr/lib/ipa/certmonger/restart_dirsrv MYREALM-COM
   track: yes
   auto-renew: yes
  Request ID '20181021083714':
   status: NEED_CSR_GEN_PIN
   stuck: yes
   key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA'
   certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
   CA: IPA
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=ipa01.mydomain.com,O=MYREALM.COM
   expires: 2020-10-21 02:37:17 MDT
   dns: ipa01.mydomain.com
   principal name: HTTP/ipa01.mydomain.com@xxxxxxxxxxx
   key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-kp-clientAuth
   pre-save command:
   post-save command: /usr/lib/ipa/certmonger/restart_httpd
   track: yes
   auto-renew: yes
  Request ID '20181021083724':
   status: CA_UNREACHABLE
   ca-error: Server at https://ipa01.mydomain.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
   stuck: no
   key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
   certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
   CA: IPA
   issuer: CN=Certificate Authority,O=MYREALM.COM
   subject: CN=ipa01.mydomain.com,O=MYREALM.COM
   expires: 2020-10-21 02:37:25 MDT
   principal name: krbtgt/MYREALM.COM@xxxxxxxxxxx
   key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
   eku: id-kp-serverAuth,id-pkinit-KPKdc
   pre-save command:
   post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
   track: yes
   auto-renew: yes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1902458/+subscriptions



References