Bug 1248725
| Summary: | ipa cert-request for new certificate profile internal error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | rcritten | ||||
| Target Milestone: | rc | Keywords: | TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-08-04 13:36:27 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1200694 | ||||||
| Attachments: |
|
||||||
Created attachment 1057764 [details]
pki debug log
Thank you for detailed transcript.
The problem is:
cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg
The files in /usr/share/ipa/profiles/ are _templates_ for the
default profile(s) in IPA. They contain variables that need to
be substituted and are not valid profile configurations until
these substitutions are performed. These substitutions are
performed automatically during install / upgrade.
In short, they are not for end-user / administrator consumption.
To copy the actual caIPAserviceCert configuration, execute:
ipa certprofile-show --out /tmp/cert_profile_smime.cfg caIPAserviceCert
The fact that the invalid profile configuration was accepted
needs more investigation, but that is probably for a separate
ticket.
Ah, that's right--the variables. Yeah, that resolved my issue: [root@master ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1 Certificate:... Subject: CN=testuser1,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Tue Aug 04 13:33:43 2015 UTC Not After: Fri Aug 04 13:33:43 2017 UTC Fingerprint (MD5): ... Fingerprint (SHA1): ... Serial number: 14 Serial number (hex): 0xE I'll close this bug and move the RFE back to ON_QA. I'll open a separate bug for the case of accepting invalid config. Thanks, Scott fyi, I opened bug #1250093 for the importing of invalid config. |
Description of problem: Trying to get a certificate using a custom certificate profile is failing with internal error: [root@rhel7-2 ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1 ipa: ERROR: an internal error has occurred Version-Release number of selected component (if applicable): ipa-server-4.2.0-3.el7.x86_64 pki-ca-10.2.5-4.el7.noarch How reproducible: always Steps to Reproduce: 1. Install IPA server on RHEL7.2 or later 2. Create a new certificate profile rm -f /tmp/cert_profile_smime.cfg cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg sed -i 's/profileId=.*$/profileId=cert_profile_smime/' /tmp/cert_profile_smime.cfg sed -i 's/desc=.*$/desc=My Certificate Profile Test/' /tmp/cert_profile_smime.cfg sed -i 's/^name=.*$/name=cert_profile_smime/' /tmp/cert_profile_smime.cfg sed -i 's/1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2/1.3.6.1.5.5.7.3.4/' /tmp/cert_profile_smime.cfg ipa certprofile-import cert_profile_smime --file=/tmp/cert_profile_smime.cfg \ --store=False --desc="Test Cert Profile for SMIME" 3. Create a user to test with ipa user-add --first=testuser1 --last=lastname --email=testuser1 testuser1 4. Create certificate request cat > /root/testuser1.cnf <<EOF [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testuser1" [ exts ] subjectAltName=email:testuser1 EOF openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf 5. Enable CA ACLs for request ipa caacl-add smime_acl ipa group-add smime_users ipa group-add-member smime_users --user=testuser1 ipa caacl-add-user smime_acl --group smime_users ipa caacl-add-profile smime_acl --certprofile cert_profile_smime ipa caacl-show smime_acl 6. Run certificate request ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1 Actual results: Fails with internal error Expected results: no failure and certificate generated. Additional info: httpd/error_log entry: [Thu Jul 30 11:50:28.592398 2015] [:error] [pid 22499] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14 [Thu Jul 30 11:50:28.592419 2015] [:error] [pid 22499] Traceback (most recent call last): [Thu Jul 30 11:50:28.592421 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Thu Jul 30 11:50:28.592423 2015] [:error] [pid 22499] result = self.Command[name](*args, **options) [Thu Jul 30 11:50:28.592424 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ [Thu Jul 30 11:50:28.592425 2015] [:error] [pid 22499] ret = self.run(*args, **options) [Thu Jul 30 11:50:28.592426 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run [Thu Jul 30 11:50:28.592428 2015] [:error] [pid 22499] return self.execute(*args, **options) [Thu Jul 30 11:50:28.592429 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 502, in execute [Thu Jul 30 11:50:28.592430 2015] [:error] [pid 22499] csr, profile_id, request_type=request_type) [Thu Jul 30 11:50:28.592431 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1590, in request_certificate [Thu Jul 30 11:50:28.592439 2015] [:error] [pid 22499] parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml) [Thu Jul 30 11:50:28.592441 2015] [:error] [pid 22499] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1382, in get_parse_result_xml [Thu Jul 30 11:50:28.592442 2015] [:error] [pid 22499] doc = etree.fromstring(xml_text, parser) [Thu Jul 30 11:50:28.592443 2015] [:error] [pid 22499] File "lxml.etree.pyx", line 2993, in lxml.etree.fromstring (src/lxml/lxml.etree.c:63070) [Thu Jul 30 11:50:28.592444 2015] [:error] [pid 22499] File "parser.pxi", line 1617, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:93194) [Thu Jul 30 11:50:28.592446 2015] [:error] [pid 22499] File "parser.pxi", line 1495, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:92003) [Thu Jul 30 11:50:28.592447 2015] [:error] [pid 22499] File "parser.pxi", line 1011, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:88660) [Thu Jul 30 11:50:28.592448 2015] [:error] [pid 22499] File "parser.pxi", line 577, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:84385) [Thu Jul 30 11:50:28.592449 2015] [:error] [pid 22499] File "parser.pxi", line 676, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:85488) [Thu Jul 30 11:50:28.592451 2015] [:error] [pid 22499] File "parser.pxi", line 616, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:84811) [Thu Jul 30 11:50:28.592452 2015] [:error] [pid 22499] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14 [Thu Jul 30 11:50:28.592639 2015] [:error] [pid 22499] ipa: INFO: [jsonserver_session] admin: cert_request(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICjjCCAXYCAQAwFDESMBAGA1UEAxMJdGVzdHVzZXIxMIIBIjANBgkqhkiG9w0B\\nAQEFAAOCAQ8AMIIBCgKCAQEAqm+1c9RST9jKLCnI0R3JCgoYVzAVwcYApXYao2Hh\\n0mg+fgewCvdSuCt6JuCPZVh3ks+2+qt3t+TFPG22R8DsIeiyZsXdtugdqheMLYxh\\nDLadCfa3juGbaWLot54X6+fW61DY+50f0OX0W0llQcMizOHU4TN5G4TBH6cW0j1E\\nNiQK3r5QmhdPpzyxVJ/FhGxfPMasqjJyeRTFZ2y9n6zzmr719ZnQ8QaLEX1+Y6+2\\nQWkuJYObMnkRMrE/0iwPwrP/p+XShsekKYJoPrWCExuQMQq7FW7J9KnxQFqv8EvT\\n9cE3Y3XNKFyTs0YZoUEdfHDy1y/7uwRmZvg5L4ba6jUdkwIDAQABoDUwMwYJKoZI\\nhvcNAQkOMSYwJDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDAN\\nBgkqhkiG9w0BAQUFAAOCAQEAJLOtlzcZnerrunM+Pj6KeCXsGeeukuHyYl6QEMRW\\nuTlfxRs+gk7s/lwTs3fCC6ljoS+5jRj5VJFB/LssW91Q0yGtmQvKlvc4/acRvcMh\\nvRmQAGQ7SMpdTL1YMGkgnmdxsgYrgDbm2+retUC/oEirzXA4DbAGAGdDyfLVbLC6\\nnp5Wd5EM8CnORq+JtGMDSyqyRBqA9Zn8C4ycE/Gro+WBAOI2ZqJkjHZyhQLH5Fqy\\nrrhb4ooW61IlzXTgEUBuA+iPqeBeDLv8jdTiJEWGyLQWcpBNLPQLFHJjn4tzKiPQ\\n3YqwPyGWpSLxazwuJghWDDn8a92MZMIKDXj4PXeAimdHrQ==\\n-----END CERTIFICATE REQUEST-----', principal=u'testuser1', request_type=u'pkcs10', add=False, profile_id=u'cert_profile_smime', version=u'2.147'): XMLSyntaxError Will also attach logs.