Holy crap I managed it! Nearly.
don't line up with the upstream release-4-6-9 tag so I can't
quite tell
where it's failing.
I am fairly certain that somehow I didn't revert to the older pynas1
like I thought somehow... I'm not sure what I did differently, but this
time, when apache restarted everything was very broken.
HOWEVER, in desperation I started looking at the code in comparison to
the latest release and in x509.py ln 349, __pyasn1_get_san_general_names
there was this:
der = ext['extnValue']
if pyasn1.__version__.startswith('0.3'):
# pyasn1 <= 0.3.7 needs explicit unwrap of ANY container
# see
https://pagure.io/freeipa/issue/7685
der = decoder.decode(der,
asn1Spec=univ.OctetString())[0]
copying the entire 'if' did not work, but knowing that my pyasn1 is
0.3.7, I tried just pulling it entirely and it worked.
My relief is palpable.
NOW, I still have an issue with the rest of the 'stuck' certs that
NEED_CSR_GEN_PIN—I've tried restarting certmonger and getcert resubmit
individually, but still no luck...
Any advice now?
Sean