RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1248725 - ipa cert-request for new certificate profile internal error
Summary: ipa cert-request for new certificate profile internal error
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1200694
TreeView+ depends on / blocked
 
Reported: 2015-07-30 17:15 UTC by Scott Poore
Modified: 2015-08-04 14:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-04 13:36:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
pki debug log (2.78 MB, text/plain)
2015-07-30 17:17 UTC, Scott Poore 		no flags Details
View All

Description Scott Poore 2015-07-30 17:15:54 UTC 
Description of problem:

Trying to get a certificate using a custom certificate profile is failing with internal error:

[root@rhel7-2 ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1
ipa: ERROR: an internal error has occurred


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64
pki-ca-10.2.5-4.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.  Install IPA server on RHEL7.2 or later
2.  Create a new certificate profile

rm -f /tmp/cert_profile_smime.cfg

cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg

sed -i 's/profileId=.*$/profileId=cert_profile_smime/' /tmp/cert_profile_smime.cfg

sed -i 's/desc=.*$/desc=My Certificate Profile Test/' /tmp/cert_profile_smime.cfg

sed -i 's/^name=.*$/name=cert_profile_smime/' /tmp/cert_profile_smime.cfg

sed -i 's/1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2/1.3.6.1.5.5.7.3.4/' /tmp/cert_profile_smime.cfg

ipa certprofile-import cert_profile_smime --file=/tmp/cert_profile_smime.cfg \
    --store=False --desc="Test Cert Profile for SMIME"


3. Create a user to test with

ipa user-add --first=testuser1 --last=lastname --email=testuser1 testuser1

4.  Create certificate request

cat > /root/testuser1.cnf <<EOF
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser1"

[ exts ]
subjectAltName=email:testuser1
EOF

openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf

5.  Enable CA ACLs for request

ipa caacl-add smime_acl
ipa group-add smime_users
ipa group-add-member smime_users --user=testuser1
ipa caacl-add-user smime_acl --group smime_users
ipa caacl-add-profile smime_acl --certprofile cert_profile_smime
ipa caacl-show smime_acl

6. Run certificate request

ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1


Actual results:

Fails with internal error

Expected results:

no failure and certificate generated.

Additional info:

httpd/error_log entry:

[Thu Jul 30 11:50:28.592398 2015] [:error] [pid 22499] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Thu Jul 30 11:50:28.592419 2015] [:error] [pid 22499] Traceback (most recent call last):
[Thu Jul 30 11:50:28.592421 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute
[Thu Jul 30 11:50:28.592423 2015] [:error] [pid 22499]     result = self.Command[name](*args, **options)
[Thu Jul 30 11:50:28.592424 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Thu Jul 30 11:50:28.592425 2015] [:error] [pid 22499]     ret = self.run(*args, **options)
[Thu Jul 30 11:50:28.592426 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Thu Jul 30 11:50:28.592428 2015] [:error] [pid 22499]     return self.execute(*args, **options)
[Thu Jul 30 11:50:28.592429 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 502, in execute
[Thu Jul 30 11:50:28.592430 2015] [:error] [pid 22499]     csr, profile_id, request_type=request_type)
[Thu Jul 30 11:50:28.592431 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1590, in request_certificate
[Thu Jul 30 11:50:28.592439 2015] [:error] [pid 22499]     parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml)
[Thu Jul 30 11:50:28.592441 2015] [:error] [pid 22499]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1382, in get_parse_result_xml
[Thu Jul 30 11:50:28.592442 2015] [:error] [pid 22499]     doc = etree.fromstring(xml_text, parser)
[Thu Jul 30 11:50:28.592443 2015] [:error] [pid 22499]   File "lxml.etree.pyx", line 2993, in lxml.etree.fromstring (src/lxml/lxml.etree.c:63070)
[Thu Jul 30 11:50:28.592444 2015] [:error] [pid 22499]   File "parser.pxi", line 1617, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:93194)
[Thu Jul 30 11:50:28.592446 2015] [:error] [pid 22499]   File "parser.pxi", line 1495, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:92003)
[Thu Jul 30 11:50:28.592447 2015] [:error] [pid 22499]   File "parser.pxi", line 1011, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:88660)
[Thu Jul 30 11:50:28.592448 2015] [:error] [pid 22499]   File "parser.pxi", line 577, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:84385)
[Thu Jul 30 11:50:28.592449 2015] [:error] [pid 22499]   File "parser.pxi", line 676, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:85488)
[Thu Jul 30 11:50:28.592451 2015] [:error] [pid 22499]   File "parser.pxi", line 616, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:84811)
[Thu Jul 30 11:50:28.592452 2015] [:error] [pid 22499] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Thu Jul 30 11:50:28.592639 2015] [:error] [pid 22499] ipa: INFO: [jsonserver_session] admin: cert_request(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICjjCCAXYCAQAwFDESMBAGA1UEAxMJdGVzdHVzZXIxMIIBIjANBgkqhkiG9w0B\\nAQEFAAOCAQ8AMIIBCgKCAQEAqm+1c9RST9jKLCnI0R3JCgoYVzAVwcYApXYao2Hh\\n0mg+fgewCvdSuCt6JuCPZVh3ks+2+qt3t+TFPG22R8DsIeiyZsXdtugdqheMLYxh\\nDLadCfa3juGbaWLot54X6+fW61DY+50f0OX0W0llQcMizOHU4TN5G4TBH6cW0j1E\\nNiQK3r5QmhdPpzyxVJ/FhGxfPMasqjJyeRTFZ2y9n6zzmr719ZnQ8QaLEX1+Y6+2\\nQWkuJYObMnkRMrE/0iwPwrP/p+XShsekKYJoPrWCExuQMQq7FW7J9KnxQFqv8EvT\\n9cE3Y3XNKFyTs0YZoUEdfHDy1y/7uwRmZvg5L4ba6jUdkwIDAQABoDUwMwYJKoZI\\nhvcNAQkOMSYwJDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDAN\\nBgkqhkiG9w0BAQUFAAOCAQEAJLOtlzcZnerrunM+Pj6KeCXsGeeukuHyYl6QEMRW\\nuTlfxRs+gk7s/lwTs3fCC6ljoS+5jRj5VJFB/LssW91Q0yGtmQvKlvc4/acRvcMh\\nvRmQAGQ7SMpdTL1YMGkgnmdxsgYrgDbm2+retUC/oEirzXA4DbAGAGdDyfLVbLC6\\nnp5Wd5EM8CnORq+JtGMDSyqyRBqA9Zn8C4ycE/Gro+WBAOI2ZqJkjHZyhQLH5Fqy\\nrrhb4ooW61IlzXTgEUBuA+iPqeBeDLv8jdTiJEWGyLQWcpBNLPQLFHJjn4tzKiPQ\\n3YqwPyGWpSLxazwuJghWDDn8a92MZMIKDXj4PXeAimdHrQ==\\n-----END CERTIFICATE REQUEST-----', principal=u'testuser1', request_type=u'pkcs10', add=False, profile_id=u'cert_profile_smime', version=u'2.147'): XMLSyntaxError


Will also attach logs.
Comment 1 Scott Poore 2015-07-30 17:17:03 UTC 
Created attachment 1057764 [details]
pki debug log
Comment 4 Fraser Tweedale 2015-08-04 13:08:52 UTC 
Thank you for detailed transcript.

The problem is: 

    cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/cert_profile_smime.cfg

The files in /usr/share/ipa/profiles/ are _templates_ for the
default profile(s) in IPA.  They contain variables that need to
be substituted and are not valid profile configurations until
these substitutions are performed.  These substitutions are
performed automatically during install / upgrade.

In short, they are not for end-user / administrator consumption.

To copy the actual caIPAserviceCert configuration, execute:

    ipa certprofile-show --out /tmp/cert_profile_smime.cfg caIPAserviceCert

The fact that the invalid profile configuration was accepted
needs more investigation, but that is probably for a separate
ticket.
Comment 5 Scott Poore 2015-08-04 13:36:27 UTC 
Ah, that's right--the variables.   Yeah, that resolved my issue:

[root@master ~]# ipa cert-request testuser1.csr --profile-id=cert_profile_smime --principal=testuser1
  Certificate:...
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 04 13:33:43 2015 UTC
  Not After: Fri Aug 04 13:33:43 2017 UTC
  Fingerprint (MD5): ...
  Fingerprint (SHA1): ...
  Serial number: 14
  Serial number (hex): 0xE

I'll close this bug and move the RFE back to ON_QA.

I'll open a separate bug for the case of accepting invalid config.

Thanks,
Scott
Comment 6 Scott Poore 2015-08-04 14:06:23 UTC 
fyi, I opened bug #1250093 for the importing of invalid config.
Note You need to log in before you can comment on or make changes to this bug.