Bug 1411810
Summary: | ipa-replica-install fails with 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> | |
Component: | freeipa | Assignee: | Christian Heimes <cheimes> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 26 | CC: | abokovoy, cheimes, ipa-maint, jcholast, jhrozek, mbabinsk, pvoborni, rcritten, ssorce | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | freeipa-4.4.4-2.fc26 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1436763 (view as bug list) | Environment: | ||
Last Closed: | 2017-06-09 19:08:27 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1436763 |
Description
Jan Pazdziora
2017-01-10 14:46:19 UTC
It seems that the root cause is in custodia client escaping whitespace in the request URI when fetching CA keys from remote master. I have tried to backport custodia-0.2.0-2.fc26.noarch to F25 to see if the rebase causes this issue but replica install passed fine. I suspect that maybe one of the dependencies in rawhide (python-requests-2.12.4-3.fc26 or python-urllib3-1.19.1-2) may be to blame. Christian, can you look into this issue? Relevant data ipareplica-install.log: {{{ File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1727, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 367, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1516, in promote custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 182, in get_ca_keys self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 143, in __get_keys value = cli.fetch_key(os.path.join(prefix, nickname), False) File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 98, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 893, in raise_for_status raise HTTPError(http_error_msg, response=self) 2017-01-19T10:37:48Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca for url: https://ipa.example.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.RJ7WeWvjUL0TP0GJQXt5jiEoOekZcUYuYb9XjinxPo81W4-0n1XUvIFShyrxqHvGAvziW6pPC6QKeAf7UnZ0-h8OBR48jGhNq1RK9lch4VBwA47zPU2dfgAVhlhhZgxV0EyUHYaZ79JUlX6GpADsTooWk0qG6sPKAVm9qLqKZm9t3qMRZjItXR2G1wzVsYHej4nyPj-_kBXfX9N4fZGApQa_9YfN-l2Ulhzow_xUnzuyh8tSM0ead9MVk5S9Xo2fhI2finvDOQN7od1md_u7q3us9UJngWJtplwJ4ePLoTt5T5pgEBiIfPLMwbYOpalrzCHnLSHlqosKrMjVUl5zOg.NyiW-h8Q5xf0FaPGi9AGcQ.Gqlh3vPB24U9eeR9JfqFFsYYNs4HZtPvPJnDyD0bcGFJV2KwHXwppa2AUs-R7WJKlmCGQStYGvrADyGTeU2eb4-o34vCxE6yaRI4orwqy3sHsTHLzyvzg62bQAOC-40FkebGAcXsKIS1IdixIWsxkl89Ie0OvqMQdfY7ah3MOOMXfl3grzVWWccExCdKabggSD4tDFgVPmrZbkxEFWGuNfc4yocs3bgA6FOcal5u7NaglSsZGgDlSxe-L9fdk1ifc6pgQBvgKRku-DoWxQLuFxqfO5nvSk_HyDudi5EYtsnCiFFWji0uPJokS21E425fSKm9nJTLi3vR1Ufe9Dn1EI0EjiA1I5d_MvivoR7Hp0CofHNryzRua6gdv2PU7ERx3udKNcb5g-pMTkT_LPNtl0zHs9LD3nconrbikbjSecFiTtp2MZn2OVdtCaW2Sy84A-fAbRk3TXV-Ay1XlsWbalTWLIgSVpunKP37ySJDEqa40hLIyy7XK3Y2jhGYZcRGhnV0dLPRvXUrERxNizyEd5UfrxLz_3p3Ki4xeWdpzOEl3hvgEHQnJCwmtyEwsaAe4TJCzL78gZhGmH5_jSrQHbJV7N1-HgqT8PHbuzXVvospM34eP56rPZD9lRlEH9HxvurI32ZuBBOQRChdZ5kIrBIwBlQyHjsoKKZ8k1xiZBo.0w3wD3GELRyioUVb-0fJB1N3R9OLS1xpF6oC_xIcV98 }}} ipa-custodia.audit.log on master: {{{ 2017-01-19 10:36:11 - SimpleCredsAuth-[auth:simple] - PASS: '656' authenticated as '48, 48' 2017-01-19 10:36:11 - SimpleHeaderAuth-[auth:header] - PASS: '656' authenticated as '(null)' 2017-01-19 10:36:11 - IPAKEMKeys-[authz:kemkeys] - PASS: '656' authorized for '/keys' 2017-01-19 10:36:11 - Secrets-[/keys] - ALLOWED: '(null)' requested key 'ra/ipaCert' 2017-01-19 10:37:48 - SimpleCredsAuth-[auth:simple] - PASS: '652' authenticated as '48, 48' 2017-01-19 10:37:48 - SimpleHeaderAuth-[auth:header] - PASS: '652' authenticated as '(null)' 2017-01-19 10:37:48 - IPAKEMKeys-[authz:kemkeys] - PASS: '652' authorized for '/keys' 2017-01-19 10:37:48 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert%20cert-pki-ca }}} We are aware that non-numeric characters like spaces and non-ASCII chars are not handled well by Custodia. I recently removed some unquoting from Custodia, e.g. https://github.com/latchset/custodia/commit/9dd4ca48cae2f09abed3226d1b20a00ff843fb89 I'll try to find some time to investigate the issue. I'm planning to release a new version of Custodia soonish anyway. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6688 This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. Upstream bug: https://github.com/latchset/custodia/issues/135 The bug has been fixed by PR https://github.com/latchset/custodia/pull/139 and has landed in Custodia release 0.3.1. I'm working on releases for F26 and rawhide. Dependencies bumped in: ipa-4-5: 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features master: f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features freeipa-4.4.4-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0d0ec3e0af freeipa-4.4.4-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0d0ec3e0af custodia-0.3.1-2.fc26 freeipa-4.4.4-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0d0ec3e0af custodia-0.3.1-2.fc26, freeipa-4.4.4-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0d0ec3e0af custodia-0.3.1-2.fc26, freeipa-4.4.4-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |