Bug 1248725 - ipa cert-request for new certificate profile internal error
ipa cert-request for new certificate profile internal error
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: TestBlocker
Depends On:
Blocks: 1200694
  Show dependency treegraph
 
Reported: 2015-07-30 13:15 EDT by Scott Poore
Modified: 2015-08-04 10:06 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-04 09:36:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pki debug log (2.78 MB, text/plain)
2015-07-30 13:17 EDT, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2015-07-30 13:15:54 EDT
Description of problem:

Trying to get a certificate using a custom certificate profile is failing with internal error:

[root@rhel7-2 ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1
ipa: ERROR: an internal error has occurred


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64
pki-ca-10.2.5-4.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.  Install IPA server on RHEL7.2 or later
2.  Create a new certificate profile

rm -f /tmp/cert_profile_smime.cfg

cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg

sed -i 's/profileId=.*$/profileId=cert_profile_smime/' /tmp/cert_profile_smime.cfg

sed -i 's/desc=.*$/desc=My Certificate Profile Test/' /tmp/cert_profile_smime.cfg

sed -i 's/^name=.*$/name=cert_profile_smime/' /tmp/cert_profile_smime.cfg

sed -i 's/1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2/1.3.6.1.5.5.7.3.4/' /tmp/cert_profile_smime.cfg

ipa certprofile-import cert_profile_smime --file=/tmp/cert_profile_smime.cfg \
    --store=False --desc="Test Cert Profile for SMIME"


3. Create a user to test with

ipa user-add --first=testuser1 --last=lastname --email=testuser1@testrelm.test testuser1

4.  Create certificate request

cat > /root/testuser1.cnf <<EOF
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser1"

[ exts ]
subjectAltName=email:testuser1@testrelm.test
EOF

openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf

5.  Enable CA ACLs for request

ipa caacl-add smime_acl
ipa group-add smime_users
ipa group-add-member smime_users --user=testuser1
ipa caacl-add-user smime_acl --group smime_users
ipa caacl-add-profile smime_acl --certprofile cert_profile_smime
ipa caacl-show smime_acl

6. Run certificate request

ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1


Actual results:

Fails with internal error

Expected results:

no failure and certificate generated.

Additional info:

httpd/error_log entry:

[Thu Jul 30 11:50:28.592398 2015] [:error] [pid 22499] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Thu Jul 30 11:50:28.592419 2015] [:error] [pid 22499] Traceback (most recent call last):
[Thu Jul 30 11:50:28.592421 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute
[Thu Jul 30 11:50:28.592423 2015] [:error] [pid 22499]     result = self.Command[name](*args, **options)
[Thu Jul 30 11:50:28.592424 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Thu Jul 30 11:50:28.592425 2015] [:error] [pid 22499]     ret = self.run(*args, **options)
[Thu Jul 30 11:50:28.592426 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Thu Jul 30 11:50:28.592428 2015] [:error] [pid 22499]     return self.execute(*args, **options)
[Thu Jul 30 11:50:28.592429 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 502, in execute
[Thu Jul 30 11:50:28.592430 2015] [:error] [pid 22499]     csr, profile_id, request_type=request_type)
[Thu Jul 30 11:50:28.592431 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1590, in request_certificate
[Thu Jul 30 11:50:28.592439 2015] [:error] [pid 22499]     parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml)
[Thu Jul 30 11:50:28.592441 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1382, in get_parse_result_xml
[Thu Jul 30 11:50:28.592442 2015] [:error] [pid 22499]     doc = etree.fromstring(xml_text, parser)
[Thu Jul 30 11:50:28.592443 2015] [:error] [pid 22499]   File "lxml.etree.pyx", line 2993, in lxml.etree.fromstring (src/lxml/lxml.etree.c:63070)
[Thu Jul 30 11:50:28.592444 2015] [:error] [pid 22499]   File "parser.pxi", line 1617, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:93194)
[Thu Jul 30 11:50:28.592446 2015] [:error] [pid 22499]   File "parser.pxi", line 1495, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:92003)
[Thu Jul 30 11:50:28.592447 2015] [:error] [pid 22499]   File "parser.pxi", line 1011, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:88660)
[Thu Jul 30 11:50:28.592448 2015] [:error] [pid 22499]   File "parser.pxi", line 577, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:84385)
[Thu Jul 30 11:50:28.592449 2015] [:error] [pid 22499]   File "parser.pxi", line 676, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:85488)
[Thu Jul 30 11:50:28.592451 2015] [:error] [pid 22499]   File "parser.pxi", line 616, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:84811)
[Thu Jul 30 11:50:28.592452 2015] [:error] [pid 22499] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Thu Jul 30 11:50:28.592639 2015] [:error] [pid 22499] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: cert_request(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICjjCCAXYCAQAwFDESMBAGA1UEAxMJdGVzdHVzZXIxMIIBIjANBgkqhkiG9w0B\\nAQEFAAOCAQ8AMIIBCgKCAQEAqm+1c9RST9jKLCnI0R3JCgoYVzAVwcYApXYao2Hh\\n0mg+fgewCvdSuCt6JuCPZVh3ks+2+qt3t+TFPG22R8DsIeiyZsXdtugdqheMLYxh\\nDLadCfa3juGbaWLot54X6+fW61DY+50f0OX0W0llQcMizOHU4TN5G4TBH6cW0j1E\\nNiQK3r5QmhdPpzyxVJ/FhGxfPMasqjJyeRTFZ2y9n6zzmr719ZnQ8QaLEX1+Y6+2\\nQWkuJYObMnkRMrE/0iwPwrP/p+XShsekKYJoPrWCExuQMQq7FW7J9KnxQFqv8EvT\\n9cE3Y3XNKFyTs0YZoUEdfHDy1y/7uwRmZvg5L4ba6jUdkwIDAQABoDUwMwYJKoZI\\nhvcNAQkOMSYwJDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDAN\\nBgkqhkiG9w0BAQUFAAOCAQEAJLOtlzcZnerrunM+Pj6KeCXsGeeukuHyYl6QEMRW\\nuTlfxRs+gk7s/lwTs3fCC6ljoS+5jRj5VJFB/LssW91Q0yGtmQvKlvc4/acRvcMh\\nvRmQAGQ7SMpdTL1YMGkgnmdxsgYrgDbm2+retUC/oEirzXA4DbAGAGdDyfLVbLC6\\nnp5Wd5EM8CnORq+JtGMDSyqyRBqA9Zn8C4ycE/Gro+WBAOI2ZqJkjHZyhQLH5Fqy\\nrrhb4ooW61IlzXTgEUBuA+iPqeBeDLv8jdTiJEWGyLQWcpBNLPQLFHJjn4tzKiPQ\\n3YqwPyGWpSLxazwuJghWDDn8a92MZMIKDXj4PXeAimdHrQ==\\n-----END CERTIFICATE REQUEST-----', principal=u'testuser1', request_type=u'pkcs10', add=False, profile_id=u'cert_profile_smime', version=u'2.147'): XMLSyntaxError


Will also attach logs.
Comment 1 Scott Poore 2015-07-30 13:17:03 EDT
Created attachment 1057764 [details]
pki debug log
Comment 4 Fraser Tweedale 2015-08-04 09:08:52 EDT
Thank you for detailed transcript.

The problem is: 

    cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg

The files in /usr/share/ipa/profiles/ are _templates_ for the
default profile(s) in IPA.  They contain variables that need to
be substituted and are not valid profile configurations until
these substitutions are performed.  These substitutions are
performed automatically during install / upgrade.

In short, they are not for end-user / administrator consumption.

To copy the actual caIPAserviceCert configuration, execute:

    ipa certprofile-show --out /tmp/cert_profile_smime.cfg caIPAserviceCert

The fact that the invalid profile configuration was accepted
needs more investigation, but that is probably for a separate
ticket.
Comment 5 Scott Poore 2015-08-04 09:36:27 EDT
Ah, that's right--the variables.   Yeah, that resolved my issue:

[root@master ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1
  Certificate:...
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 04 13:33:43 2015 UTC
  Not After: Fri Aug 04 13:33:43 2017 UTC
  Fingerprint (MD5): ...
  Fingerprint (SHA1): ...
  Serial number: 14
  Serial number (hex): 0xE

I'll close this bug and move the RFE back to ON_QA.

I'll open a separate bug for the case of accepting invalid config.

Thanks,
Scott
Comment 6 Scott Poore 2015-08-04 10:06:23 EDT
fyi, I opened bug #1250093 for the importing of invalid config.

Note You need to log in before you can comment on or make changes to this bug.