Bug 1596161

Summary: Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: amore, frenaud, ftweedal, ksiddiqu, mkosek, nalin, ndehadra, nsoman, pvoborni, rcritten, spoore, sumenon, tscherf, xdong
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.78.4-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1607616 (view as bug list) Environment:
Last Closed: 2018-08-14 12:00:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1427105, 1607616    
Attachments:
Description Flags
messages
none
ipa-server-install log none

Description Sudhir Menon 2018-06-28 10:56:59 UTC 
Description of problem: Traceback seen in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012

Version-Release number of selected component (if applicable):
[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

ipa-server-4.6.4-1.el7.x86_64
389-ds-base-1.3.8.2-1.el7.x86_64
certmonger-0.78.4-6.el7.x86_64
sssd-1.16.2-1.el7.x86_64
krb5-server-1.15.1-32.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
pki-server-10.5.9-1.el7.noarch
certmonger-0.78.4-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server
2. Check /var/log/messages

Actual results:
Traceback is seen in /var/log/messages file.

Jun 28 06:42:31 ipaqavma dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".

Expected results:
Traceback should be fixed.

Additional info:
Comment 2 Sudhir Menon 2018-06-28 11:05:39 UTC 
Created attachment 1455240 [details]
messages
Comment 3 Sudhir Menon 2018-06-28 11:12:57 UTC 
Created attachment 1455243 [details]
ipa-server-install log
Comment 5 Kaleem 2018-07-02 08:23:55 UTC 
Sudhir,

Please provide the exact command used for ipa-server-install.
Comment 6 Sudhir Menon 2018-07-02 10:11:24 UTC 
Kaleem,
I had actually used ipa-server-install with integrated DNS in an interactive installation, no specific command line options was provided.
Comment 7 Florence Blanc-Renaud 2018-07-10 04:52:30 UTC 
The issue happens in api.bootstrap because this method is called with an env variable LANG/LC_ALL not set.
When certmonger is starting the CA helpers, it clears all the environment variables, but it should rather set LANG or LC_ALL to a suitable value (i.e. one for which sys.getfilesystemencoding() returns utf-8).

The fix already exists in certmonger and needs to be backported:
https://pagure.io/certmonger/c/0288d36e56bab788da3a494142bf9070f9f3aaf9?branch=master
Keep LC_*, LANG, set default LC_CTYPE

Moving to certmonger component.
Comment 8 Florence Blanc-Renaud 2018-07-10 04:55:55 UTC 
*** Bug 1597514 has been marked as a duplicate of this bug. ***
Comment 9 Rob Crittenden 2018-07-16 16:52:06 UTC 
*** Bug 1600356 has been marked as a duplicate of this bug. ***
Comment 10 Rob Crittenden 2018-07-17 15:09:10 UTC 
*** Bug 1601959 has been marked as a duplicate of this bug. ***
Comment 11 Rob Crittenden 2018-07-17 22:38:28 UTC 
*** Bug 1602149 has been marked as a duplicate of this bug. ***
Comment 13 Scott Poore 2018-07-24 14:03:42 UTC 
I'm still seeing this traceback with the updated version of certmonger:

[root@vm-idm-037 log]# rpm -q certmonger
certmonger-0.78.4-8.el7.x86_64

From automation that failed ipa-certupdate:

STDERR:

The ipa-pkinit-manage command was successful
The ipa-cacert-manage command was successful
trying https://vm-idm-037.domain.scrubbed/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
Error resubmitting certmonger request '20180724014644', please check the request manually
The ipa-certupdate command failed.
Failed to update IPA CA certificate database

In /var/log/messages:

Jul 24 07:54:53 vm-idm-037 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
Jul 24 07:54:53 vm-idm-037 certmonger: 2018-07-24 07:54:53 [16766] Internal error
Comment 14 Rob Crittenden 2018-07-24 14:19:26 UTC 
Upon further review this is not an issue in certmonger at all. The failure is in the IPA-provided script. I'm going to roll back the patches to certmonger and remove this from the errata, and re-assign back to ipa project.
Comment 15 Rob Crittenden 2018-07-24 14:20:50 UTC 
And further considering, let's leave this in for now and see what happens after ipa fixes it. If possible it would be good to test with certmonger 0.78.4-6 as well as 0.78.4-8 to see if behavior of certmonger has changed.
Comment 18 Fraser Tweedale 2018-08-02 13:10:35 UTC 
The scope of the IPA issue is more than just certmonger: a lot of different things break if the system encoding is not utf-8.  See upstream
ticket https://pagure.io/freeipa/issue/7646.
Comment 19 Fraser Tweedale 2018-08-02 13:15:14 UTC 
BZ for ipa component is https://bugzilla.redhat.com/show_bug.cgi?id=1598044.
Comment 22 Nikhil Dehadrai 2018-08-10 10:35:30 UTC 
The issue mentioned in the bug also affects RFE at BZ1427105#c14 for scenario related to :

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "String-Name" in option '--external-ca-profile='

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "OID" in option '--external-ca-profile='
Comment 23 Scott Poore 2018-08-13 14:28:24 UTC 
Note that the ipa-certupdate issue I was seeing before seems to be resolved with the fixed version of certmonger and ipa:

https://bugzilla.redhat.com/show_bug.cgi?id=1598044#c14
Comment 24 Rob Crittenden 2018-08-14 12:00:47 UTC 
I reverted the patches I added to handle LANG in build certmonger-0.78.4-9.el7 since these are unrelated to the underlying issue.