Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1596161

Summary: Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: amore, frenaud, ftweedal, ksiddiqu, mkosek, nalin, ndehadra, nsoman, pvoborni, rcritten, spoore, sumenon, tscherf, xdong
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.78.4-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1607616 (view as bug list) Environment:
Last Closed: 2018-08-14 12:00:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1427105, 1607616    
Attachments:
Description Flags
messages
none
ipa-server-install log none

Description Sudhir Menon 2018-06-28 10:56:59 UTC 
Description of problem: Traceback seen in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012

Version-Release number of selected component (if applicable):
[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

ipa-server-4.6.4-1.el7.x86_64
389-ds-base-1.3.8.2-1.el7.x86_64
certmonger-0.78.4-6.el7.x86_64
sssd-1.16.2-1.el7.x86_64
krb5-server-1.15.1-32.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
pki-server-10.5.9-1.el7.noarch
certmonger-0.78.4-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server
2. Check /var/log/messages

Actual results:
Traceback is seen in /var/log/messages file.

Jun 28 06:42:31 ipaqavma dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".

Expected results:
Traceback should be fixed.

Additional info:
Comment 2 Sudhir Menon 2018-06-28 11:05:39 UTC 
Created attachment 1455240 [details]
messages
Comment 3 Sudhir Menon 2018-06-28 11:12:57 UTC 
Created attachment 1455243 [details]
ipa-server-install log
Comment 5 Kaleem 2018-07-02 08:23:55 UTC 
Sudhir,

Please provide the exact command used for ipa-server-install.
Comment 6 Sudhir Menon 2018-07-02 10:11:24 UTC 
Kaleem,
I had actually used ipa-server-install with integrated DNS in an interactive installation, no specific command line options was provided.
Comment 7 Florence Blanc-Renaud 2018-07-10 04:52:30 UTC 
The issue happens in api.bootstrap because this method is called with an env variable LANG/LC_ALL not set.
When certmonger is starting the CA helpers, it clears all the environment variables, but it should rather set LANG or LC_ALL to a suitable value (i.e. one for which sys.getfilesystemencoding() returns utf-8).

The fix already exists in certmonger and needs to be backported:
https://pagure.io/certmonger/c/0288d36e56bab788da3a494142bf9070f9f3aaf9?branch=master
Keep LC_*, LANG, set default LC_CTYPE

Moving to certmonger component.
Comment 8 Florence Blanc-Renaud 2018-07-10 04:55:55 UTC 
*** Bug 1597514 has been marked as a duplicate of this bug. ***
Comment 9 Rob Crittenden 2018-07-16 16:52:06 UTC 
*** Bug 1600356 has been marked as a duplicate of this bug. ***
Comment 10 Rob Crittenden 2018-07-17 15:09:10 UTC 
*** Bug 1601959 has been marked as a duplicate of this bug. ***
Comment 11 Rob Crittenden 2018-07-17 22:38:28 UTC 
*** Bug 1602149 has been marked as a duplicate of this bug. ***
Comment 13 Scott Poore 2018-07-24 14:03:42 UTC 
I'm still seeing this traceback with the updated version of certmonger:

[root@vm-idm-037 log]# rpm -q certmonger
certmonger-0.78.4-8.el7.x86_64

From automation that failed ipa-certupdate:

STDERR:

The ipa-pkinit-manage command was successful
The ipa-cacert-manage command was successful
trying https://vm-idm-037.domain.scrubbed/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
Error resubmitting certmonger request '20180724014644', please check the request manually
The ipa-certupdate command failed.
Failed to update IPA CA certificate database

In /var/log/messages:

Jul 24 07:54:53 vm-idm-037 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
Jul 24 07:54:53 vm-idm-037 certmonger: 2018-07-24 07:54:53 [16766] Internal error
Comment 14 Rob Crittenden 2018-07-24 14:19:26 UTC 
Upon further review this is not an issue in certmonger at all. The failure is in the IPA-provided script. I'm going to roll back the patches to certmonger and remove this from the errata, and re-assign back to ipa project.
Comment 15 Rob Crittenden 2018-07-24 14:20:50 UTC 
And further considering, let's leave this in for now and see what happens after ipa fixes it. If possible it would be good to test with certmonger 0.78.4-6 as well as 0.78.4-8 to see if behavior of certmonger has changed.
Comment 18 Fraser Tweedale 2018-08-02 13:10:35 UTC 
The scope of the IPA issue is more than just certmonger: a lot of different things break if the system encoding is not utf-8.  See upstream
ticket https://pagure.io/freeipa/issue/7646.
Comment 19 Fraser Tweedale 2018-08-02 13:15:14 UTC 
BZ for ipa component is https://bugzilla.redhat.com/show_bug.cgi?id=1598044.
Comment 22 Nikhil Dehadrai 2018-08-10 10:35:30 UTC 
The issue mentioned in the bug also affects RFE at BZ1427105#c14 for scenario related to :

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "String-Name" in option '--external-ca-profile='

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "OID" in option '--external-ca-profile='
Comment 23 Scott Poore 2018-08-13 14:28:24 UTC 
Note that the ipa-certupdate issue I was seeing before seems to be resolved with the fixed version of certmonger and ipa:

https://bugzilla.redhat.com/show_bug.cgi?id=1598044#c14
Comment 24 Rob Crittenden 2018-08-14 12:00:47 UTC 
I reverted the patches I added to handle LANG in build certmonger-0.78.4-9.el7 since these are unrelated to the underlying issue.