On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: Djerk Geurts via FreeIPA-users wrote: > Hi, > > A month or so ago we upgraded from Fedora 37 to 39. I guess this is the > first time I’m getting round to requesting a new certificate, and it’s > failing from a server we use to manage several certificates for non-IPA > client hosts. > > Output of ipa-getcert list: > > Request ID '20240402190326': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.domain.com/ipa/xml failed > request, will retry: 903 (RPC failed at server. an internal error has > occurred). > stuck: no > key pair storage: > type=FILE,location='/etc/ssl/private/host.domain.com.key' > certificate: type=FILE,location='/etc/ssl/certs/host.domain.com.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > The httpd log on the IPA server: > > [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only > single-valued attributes are supported > [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] Traceback (most recent call last): > [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in > wsgi_execute > [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] result = command(*args, **options) > [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in > __call__ > [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] return self.__do_call(*args, **options) > [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in > __do_call > [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ret = self.run(*args, **options) > [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run > [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] return self.execute(*args, **options) > [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] File > "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, > in execute > [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ext_san = csr.extensions.get_extension_for_oid( > [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ > [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are > supported > [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] > [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] > host/jump.domain.com(a)DOMAIN.COM: cert_request(‘MIID**********d1A==', > principal=&#39;HTTP/host.domain.com(a)DOMAIN.COM&#39;, add=True, version='2.51'): > InternalError > > The requesting machine is allowed to manage both the host and the > service. Requesting the certificate on the IPA server itself works fine. > I’ve read elsewhere that this could be an incompatibility between the > client and the server. > > Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 > Server: Fedora 39, ipa-server: v4.11.1 Can we see the whole CSR? You should be able to find it in the certmonger request file in /var/lib/certmonger/requests/<some value> Sometimes the value matches the Request ID but not always. It is the parsing of the CSR where it blew up, getting multiple values where only one was expected. rob

On 3 Apr 2024, at 00:27, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: I can reproduce the issue with your CSR but I don't know yet what python-cryptography doesn't like about it. Older versions of python-cryptography yield different errors but the issue is still elusive. I'm looking at the ASN1 encoding. What version of certmonger is installed on the machine that made the request? rob Djerk Geurts via FreeIPA-users wrote: > Hi Rob, > > > I can’t see any difference between this CSR and others that worked > before. Could it be an issue with an updated version of ipa-client or > openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and > that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu > 22.04 have v3.0.2. > > The certificate ws requested with: sudo ipa-getcert request -N > ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f > /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} | > awk 'NF>1{print $NF}’) > > Which has worked fine for us for over two years. > > Thanks, > Djerk Geurts > >> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: >> >> Djerk Geurts via FreeIPA-users wrote: >>> Hi, >>> >>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the >>> first time I’m getting round to requesting a new certificate, and it’s >>> failing from a server we use to manage several certificates for non-IPA >>> client hosts. >>> >>> Output of ipa-getcert list: >>> >>> Request ID '20240402190326': >>> status: CA_UNREACHABLE >>> ca-error: Server at https://ipa.domain.com/ipa/xml failed >>> request, will retry: 903 (RPC failed at server. an internal error has >>> occurred). >>> stuck: no >>> key pair storage: >>> type=FILE,location='/etc/ssl/private/host.domain.com.key' >>> certificate: >>> type=FILE,location='/etc/ssl/certs/host.domain.com.crt' >>> CA: IPA >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> >>> The httpd log on the IPA server: >>> >>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only >>> single-valued attributes are supported >>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] Traceback (most recent call last): >>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] File >>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in >>> wsgi_execute >>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] result = command(*args, **options) >>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ >>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] File >>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in >>> __call__ >>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] return self.__do_call(*args, **options) >>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] File >>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in >>> __do_call >>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ret = self.run(*args, **options) >>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] File >>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run >>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] return self.execute(*args, **options) >>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] File >>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, >>> in execute >>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ext_san = >>> csr.extensions.get_extension_for_oid( >>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ >>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are >>> supported >>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] >>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] >>> host/jump.domain.com(a)DOMAIN.COM: cert_request(‘MIID**********d1A==', >>> principal=&#39;HTTP/host.domain.com(a)DOMAIN.COM&#39;, add=True, version='2.51'): >>> InternalError >>> >>> The requesting machine is allowed to manage both the host and the >>> service. Requesting the certificate on the IPA server itself works fine. >>> I’ve read elsewhere that this could be an incompatibility between the >>> client and the server. >>> >>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 >>> Server: Fedora 39, ipa-server: v4.11.1 >> >> Can we see the whole CSR? You should be able to find it in the >> certmonger request file in /var/lib/certmonger/requests/<some value> >> Sometimes the value matches the Request ID but not always. >> >> It is the parsing of the CSR where it blew up, getting multiple values >> where only one was expected. >> >> rob > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >

On 3 Apr 2024, at 16:11, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: There was a bug in the DER encoding that certmonger used when generating the CSR. python-cryptography allowed it for a while, then complained loudly about it and now no longer accepts it. Upgrading certmonger is the proper fix. rob Djerk Geurts wrote: > Ubuntu 20.04: Certmonger v0.79.9 << fails > Ubuntu 22.04: Certmonger v0.79.14 << works > >> On 3 Apr 2024, at 00:27, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: >> >> I can reproduce the issue with your CSR but I don't know yet what >> python-cryptography doesn't like about it. >> >> Older versions of python-cryptography yield different errors but the >> issue is still elusive. I'm looking at the ASN1 encoding. >> >> What version of certmonger is installed on the machine that made the >> request? >> >> rob >> >> Djerk Geurts via FreeIPA-users wrote: >>> Hi Rob, >>> >>> >>> I can’t see any difference between this CSR and others that worked >>> before. Could it be an issue with an updated version of ipa-client or >>> openssl? I tested issuing a new certificate from a Ubuntu 22.04 host and >>> that worked just fine. Openssl on Ubuntu 20.04 is 1.1.1f while Ubuntu >>> 22.04 have v3.0.2. >>> >>> The certificate ws requested with: sudo ipa-getcert request -N >>> ${service} -K HTTP/${service} -k /etc/ssl/private/${service}.key -f >>> /etc/ssl/certs/${service}.crt -D ${service} -A $(host -t A ${service} | >>> awk 'NF>1{print $NF}’) >>> >>> Which has worked fine for us for over two years. >>> >>> Thanks, >>> Djerk Geurts >>> >>>> On 2 Apr 2024, at 22:29, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: >>>> >>>> Djerk Geurts via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> A month or so ago we upgraded from Fedora 37 to 39. I guess this is the >>>>> first time I’m getting round to requesting a new certificate, and it’s >>>>> failing from a server we use to manage several certificates for non-IPA >>>>> client hosts. >>>>> >>>>> Output of ipa-getcert list: >>>>> >>>>> Request ID '20240402190326': >>>>> status: CA_UNREACHABLE >>>>> ca-error: Server at https://ipa.domain.com/ipa/xml failed >>>>> request, will retry: 903 (RPC failed at server. an internal error has >>>>> occurred). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/etc/ssl/private/host.domain.com.key' >>>>> certificate: >>>>> type=FILE,location='/etc/ssl/certs/host.domain.com.crt' >>>>> CA: IPA >>>>> issuer: >>>>> subject: >>>>> expires: unknown >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> The httpd log on the IPA server: >>>>> >>>>> [Tue Apr 02 21:03:26.989287 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ipa: ERROR: non-public: ValueError: Only >>>>> single-valued attributes are supported >>>>> [Tue Apr 02 21:03:26.989320 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] Traceback (most recent call last): >>>>> [Tue Apr 02 21:03:26.989326 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 417, in >>>>> wsgi_execute >>>>> [Tue Apr 02 21:03:26.989330 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] result = command(*args, **options) >>>>> [Tue Apr 02 21:03:26.989333 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989337 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in >>>>> __call__ >>>>> [Tue Apr 02 21:03:26.989341 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] return self.__do_call(*args, **options) >>>>> [Tue Apr 02 21:03:26.989345 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989348 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in >>>>> __do_call >>>>> [Tue Apr 02 21:03:26.989353 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ret = self.run(*args, **options) >>>>> [Tue Apr 02 21:03:26.989358 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989371 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run >>>>> [Tue Apr 02 21:03:26.989376 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] return self.execute(*args, **options) >>>>> [Tue Apr 02 21:03:26.989381 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989385 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] File >>>>> "/usr/lib/python3.12/site-packages/ipaserver/plugins/cert.py", line 716, >>>>> in execute >>>>> [Tue Apr 02 21:03:26.989389 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ext_san = >>>>> csr.extensions.get_extension_for_oid( >>>>> [Tue Apr 02 21:03:26.989392 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ^^^^^^^^^^^^^^ >>>>> [Tue Apr 02 21:03:26.989396 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ValueError: Only single-valued attributes are >>>>> supported >>>>> [Tue Apr 02 21:03:26.989527 2024] [wsgi:error] [pid 1606:tid 1957] >>>>> [remote 10.2.0.92:50078] ipa: INFO: [xmlserver] >>>>> host/jump.domain.com(a)DOMAIN.COM: cert_request(‘MIID**********d1A==', >>>>> principal=&#39;HTTP/host.domain.com(a)DOMAIN.COM&#39;, add=True, version='2.51'): >>>>> InternalError >>>>> >>>>> The requesting machine is allowed to manage both the host and the >>>>> service. Requesting the certificate on the IPA server itself works fine. >>>>> I’ve read elsewhere that this could be an incompatibility between the >>>>> client and the server. >>>>> >>>>> Client: Ubuntu 20.04 LTS, ipa-client: v4.8.6 >>>>> Server: Fedora 39, ipa-server: v4.11.1 >>>> >>>> Can we see the whole CSR? You should be able to find it in the >>>> certmonger request file in /var/lib/certmonger/requests/<some value> >>>> Sometimes the value matches the Request ID but not always. >>>> >>>> It is the parsing of the CSR where it blew up, getting multiple values >>>> where only one was expected. >>>> >>>> rob >>> >>> >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >>> >> >