Red Hat Bugzilla – Bug 1455862
"ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade
Last modified: 2018-10-24 19:18:05 EDT
This bug is created as a clone of upstream ticket: https://pagure.io/freeipa/issue/6749 Description: `ipa: ERROR: an internal error has occurred` on executing command `ipa cert-request --add` after upgrade. Version: ipa-server-4.4.90-201703072305.el7.x86_64 Steps to Reproduce: 1. Upgrade IPA server configured on RHEL 7.3.z ito RHEL 7.4 (copr build) ipa-server-4.4.90-201703072305.el7.x86_64. ( #yum -y update 'ipa*' sssd). 2. Upgrade process completes. 3. After upgrade run the following commands: ```text # kinit admin # echo '[ req ] default_bits = 2048' > IPAMASTER-cert-req.conf # echo "default_keyfile = IPAMASTER.key" >> IPAMASTER-cert-req.conf # echo 'distinguished_name = test_key_file prompt = no output_password = .. [ test_key_file ] C = US ST = CA L = SFO O = RedHat Technology OU = RedHat IT' >> IPAMASTER-cert-req.conf # echo "CN = IPAMASTER.testrelm.test" >> IPAMASTER-cert-req.conf # csrfile="IPAMASTER.testrelm.test-cert-req.csr" # testprinc="EXAMPLE$(date +%H%M)/IPAMASTER.testrelm.test" # openssl req -new -config IPAMASTER-cert-req.conf -out $csrfile # ipa cert-request --add --principal=$testprinc $csrfile ``` Actual Result: 1. After step3, following error message is received: `ipa: ERROR: an internal error has occurred` 2. Under "/var/log/httpd/error_log" following error is noticed: ```text [Fri Mar 10 03:53:07.894514 2017] [:error] [pid 12952] ipa: ERROR: non-public: AttributeError: '_Certificate' object has no attribute 'serial_number' [Fri Mar 10 03:53:07.894531 2017] [:error] [pid 12952] Traceback (most recent call last): [Fri Mar 10 03:53:07.894533 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Fri Mar 10 03:53:07.894535 2017] [:error] [pid 12952] result = command(*args, **options) [Fri Mar 10 03:53:07.894537 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Fri Mar 10 03:53:07.894539 2017] [:error] [pid 12952] return self.__do_call(*args, **options) [Fri Mar 10 03:53:07.894541 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Fri Mar 10 03:53:07.894543 2017] [:error] [pid 12952] ret = self.run(*args, **options) [Fri Mar 10 03:53:07.894545 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Fri Mar 10 03:53:07.894546 2017] [:error] [pid 12952] return self.execute(*args, **options) [Fri Mar 10 03:53:07.894548 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 805, in execute [Fri Mar 10 03:53:07.894550 2017] [:error] [pid 12952] self.obj._parse(result, all) [Fri Mar 10 03:53:07.894552 2017] [:error] [pid 12952] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 388, in _parse [Fri Mar 10 03:53:07.894553 2017] [:error] [pid 12952] obj['serial_number'] = cert.serial_number [Fri Mar 10 03:53:07.894555 2017] [:error] [pid 12952] AttributeError: '_Certificate' object has no attribute 'serial_number' [Fri Mar 10 03:53:07.894745 2017] [:error] [pid 12952] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UE\\nBxMDU0ZPMRowGAYDVQQKExFSZWRIYXQgVGVjaG5vbG9neTESMBAGA1UECxMJUmVk\\nSGF0IElUMSkwJwYDVQQDEyBhdXRvLWh2LTAyLWd1ZXN0MDEudGVzdHJlbG0udGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTVZBmIpq0qJQGiPDNF\\n7zvoHhd4Q0nledb5T3RBMqBitj++yixbr1O/xnBXiaJxK7agt/3mTT0MBLjRMl+m\\nk/T65LHlcraw/v71H8x5temk5zEucX5iV8utqd+1Z2wmxzkAU7BZ9Am7u+P6Ml3Q\\nNAmU4+N3Gg0W8R/RL4Atu6bsr818RZGcciYBLNCGAJJRZLI3WoljNVzCeAQu3MFt\\nTG/tkEfb+bENrh2ONygWzBx2ngHg5ZQWfh5YYekO0HgRrD3u7hJPJfKVTt8vo2fk\\nRk7ghBdX7qXlBzG384M3p0851ZkMAe1Wv1VQ9y6Ct8Dkfacqagp1QyAGTvVK5EnY\\nGbECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCzxF4mD3mfm6GyE3FzTyt2k7DY\\nP+xnJ5IgXD0N2iIiLagmFu8K5V1vrY8OQZvvOWQegcfgpU65fqM2OSQJRcF69if4\\nI7Is/SRUbdX45CVjDiemxElOkjcMJlZv6iCypwFIPjebr6xKtNg9IFvYlX9M0nlm\\ngYKCMQ4RItsIrmoD+MP49EDPcrw7Ut7Q+pG/hLQu/XEL5hGLasJyxsw2tLOEzv5Q\\nArJZ96Xvur6U/prysjk5LClNLo8TU+VVFrVwpfxv6D6NjLL99ewmeSksgnbNVnYp\\nWCYdS5DNrYBBtiRo82TOsiEsv0Y6XTMgcr/qYy6J95gNvydNSFr5PI9a/qip\\n-----END CERTIFICATE REQUEST-----\\n', principal=u'EXAMPLE0352/auto-hv-02-guest01.testrelm.test', add=True, version=u'2.219'): InternalError ``` Expected Result: No Error message should be received.
master: 9149f2d9c6e90f6dd974ea4317f71d17db3c869c Change python-cryptography to python2-cryptography ipa-4-5: 14ff94a0d481051613338a512260b6a473671538 Change python-cryptography to python2-cryptography
IPA-server: ipa-server-4.5.0-14.el7.x86_64 1. Verified that the error "ipa: ERROR: an internal error has occurred" after execution of command "ipa cert-request --add" is NOT observed after upgrade. 2. Refer the output for test case: :: [ BEGIN ] :: Running 'KinitAsAdmin' :: [ PASS ] :: Command 'KinitAsAdmin' (Expected 0, got 0) :: [ BEGIN ] :: Create a new CSR to work with :: actually running 'openssl req -new -config /tmp/tmp.7rYyhXdtt4/ipaqavme-cert-req.conf -out /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr' Generating a 2048 bit RSA private key ....................+++ ...................................+++ writing new private key to '/tmp/tmp.7rYyhXdtt4/ipaqavme.key' ----- :: [ PASS ] :: Create a new CSR to work with (Expected 0, got 0) :: [ BEGIN ] :: Request the csr into IPA :: actually running 'ipa cert-request --add --principal=EXAMPLE0857/ipaqavme.testrelm.test /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr > /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out 2>&1' :: [ PASS ] :: Request the csr into IPA (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out' Issuing CA: ipa Certificate: MIIEHDCCAwSgAwIBAgIBFTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA2MTI1ODAxWhcNMTkwNjA3MTI1ODAxWjA5MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR8wHQYDVQQDDBZpcGFxYXZtZS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsekfLh68zp142uTzAWDZ+Czsm+X7b9qawhZrgpjgzqCIezHTAIqbdHY8NmcnOs36aInYV0i1sfinLdEyTpAZgMi40UKn5dUVVRzRAkylN8xon+/anX6NdvYFIWpjN3Ihd2RQiEvvgTZgAHmabW1MdGiyIDjICjpm80ff3zKzJeMJSsjFfTFwXrUa+IcocvnTzs7oy9grWAiNawSXGtxNfzQFy3tePHFRonKcI+DRDD7US5TdHyCKxzLlL4ODVUZnY/zLu36Zh05e5c6oWAzCp5g1oUCYY788UO0Qqs9FfAvhSaTg1dFr9zKToCHpRbpQajKpiYTdTjxdV0qk7VOCQIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAUv8MBzauZ3tcNrEtadTcw6UKzx5owPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFE4xONkrBW3/Hmtu/RAe4cUNjlZtMA0GCSqGSIb3DQEBCwUAA4IBAQBGD69T41YyuxZPCARD8CzY2M2jRRQyw+5fabFHh/FMC/LjG/5YNYiYRCaUwZoxXAj04Wo5d1uy/vik2rwbr1geV65xrJDlyqv66JRPWOULwk6FYguHMzPRjMedpjcBCnElWDwJ6IdFz9xSw4CtqzlDT9SM24WTJ9xwD7kYDszJsyLb5Jb5ooaHLXVeptIjrT0Boiip8BnVAyMMuUqOIqul7Pt8sL11ny4iO8Xa8PkqQUlvjzr1r5Y+ayxq+qcekvIXh7i9b8NikLlaQ7SEE+wHhf2+m2k77jBb16LSm1tp55UmSrTdSjlk6Rtc8uCoTSkLmlTk3mC9+u2uuphLmK2G Subject: CN=ipaqavme.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Tue Jun 06 12:58:01 2017 UTC Not After: Fri Jun 07 12:58:01 2019 UTC Serial number: 21 Serial number (hex): 0x15 :: [ PASS ] :: Command 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out' (Expected 0, got 0) THus on the basis of above observations, marking the status of bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304