Bug 1455862 - "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade
Summary: "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-26 10:37 UTC by Martin Bašti 🖰
Modified: 2018-10-24 23:18 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Bašti 🖰 2017-05-26 10:37:22 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6749

Description:
`ipa: ERROR: an internal error has occurred` on executing command `ipa cert-request --add` after upgrade.

Version:
ipa-server-4.4.90-201703072305.el7.x86_64

Steps to Reproduce:
1. Upgrade IPA server configured on RHEL 7.3.z ito RHEL 7.4 (copr build)
ipa-server-4.4.90-201703072305.el7.x86_64. ( #yum -y update 'ipa*' sssd).
2. Upgrade process completes.
3. After upgrade run the following commands:
```text
  #  kinit admin
  # echo '[ req ]
default_bits = 2048' > IPAMASTER-cert-req.conf
  # echo "default_keyfile = IPAMASTER.key" >> IPAMASTER-cert-req.conf
  # echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> IPAMASTER-cert-req.conf
    # echo "CN = IPAMASTER.testrelm.test" >> IPAMASTER-cert-req.conf
    # csrfile="IPAMASTER.testrelm.test-cert-req.csr"
    # testprinc="EXAMPLE$(date +%H%M)/IPAMASTER.testrelm.test"
    # openssl req -new -config IPAMASTER-cert-req.conf -out $csrfile
    # ipa cert-request --add --principal=$testprinc $csrfile
```
Actual Result:
1. After step3, following error message is received:
`ipa: ERROR: an internal error has occurred`
2. Under "/var/log/httpd/error_log" following error is noticed:
```text
[Fri Mar 10 03:53:07.894514 2017] [:error] [pid 12952] ipa: ERROR: non-public: AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894531 2017] [:error] [pid 12952] Traceback (most recent call last):
[Fri Mar 10 03:53:07.894533 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Fri Mar 10 03:53:07.894535 2017] [:error] [pid 12952]     result = command(*args, **options)
[Fri Mar 10 03:53:07.894537 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Mar 10 03:53:07.894539 2017] [:error] [pid 12952]     return self.__do_call(*args, **options)
[Fri Mar 10 03:53:07.894541 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Mar 10 03:53:07.894543 2017] [:error] [pid 12952]     ret = self.run(*args, **options)
[Fri Mar 10 03:53:07.894545 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Mar 10 03:53:07.894546 2017] [:error] [pid 12952]     return self.execute(*args, **options)
[Fri Mar 10 03:53:07.894548 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 805, in execute
[Fri Mar 10 03:53:07.894550 2017] [:error] [pid 12952]     self.obj._parse(result, all)
[Fri Mar 10 03:53:07.894552 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 388, in _parse
[Fri Mar 10 03:53:07.894553 2017] [:error] [pid 12952]     obj['serial_number'] = cert.serial_number
[Fri Mar 10 03:53:07.894555 2017] [:error] [pid 12952] AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894745 2017] [:error] [pid 12952] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UE\\nBxMDU0ZPMRowGAYDVQQKExFSZWRIYXQgVGVjaG5vbG9neTESMBAGA1UECxMJUmVk\\nSGF0IElUMSkwJwYDVQQDEyBhdXRvLWh2LTAyLWd1ZXN0MDEudGVzdHJlbG0udGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTVZBmIpq0qJQGiPDNF\\n7zvoHhd4Q0nledb5T3RBMqBitj++yixbr1O/xnBXiaJxK7agt/3mTT0MBLjRMl+m\\nk/T65LHlcraw/v71H8x5temk5zEucX5iV8utqd+1Z2wmxzkAU7BZ9Am7u+P6Ml3Q\\nNAmU4+N3Gg0W8R/RL4Atu6bsr818RZGcciYBLNCGAJJRZLI3WoljNVzCeAQu3MFt\\nTG/tkEfb+bENrh2ONygWzBx2ngHg5ZQWfh5YYekO0HgRrD3u7hJPJfKVTt8vo2fk\\nRk7ghBdX7qXlBzG384M3p0851ZkMAe1Wv1VQ9y6Ct8Dkfacqagp1QyAGTvVK5EnY\\nGbECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCzxF4mD3mfm6GyE3FzTyt2k7DY\\nP+xnJ5IgXD0N2iIiLagmFu8K5V1vrY8OQZvvOWQegcfgpU65fqM2OSQJRcF69if4\\nI7Is/SRUbdX45CVjDiemxElOkjcMJlZv6iCypwFIPjebr6xKtNg9IFvYlX9M0nlm\\ngYKCMQ4RItsIrmoD+MP49EDPcrw7Ut7Q+pG/hLQu/XEL5hGLasJyxsw2tLOEzv5Q\\nArJZ96Xvur6U/prysjk5LClNLo8TU+VVFrVwpfxv6D6NjLL99ewmeSksgnbNVnYp\\nWCYdS5DNrYBBtiRo82TOsiEsv0Y6XTMgcr/qYy6J95gNvydNSFr5PI9a/qip\\n-----END CERTIFICATE REQUEST-----\\n', principal=u'EXAMPLE0352/auto-hv-02-guest01.testrelm.test', add=True, version=u'2.219'): InternalError
```

Expected Result:
No Error message should be received.

Comment 2 Martin Bašti 🖰 2017-05-26 10:39:11 UTC
master:

9149f2d9c6e90f6dd974ea4317f71d17db3c869c Change python-cryptography to python2-cryptography

ipa-4-5:

14ff94a0d481051613338a512260b6a473671538 Change python-cryptography to python2-cryptography

Comment 4 Nikhil Dehadrai 2017-06-06 15:37:33 UTC
IPA-server: ipa-server-4.5.0-14.el7.x86_64

1. Verified that the error "ipa: ERROR: an internal error has occurred" after execution of command "ipa cert-request --add" is NOT observed after upgrade.
2. Refer the output for test case:

:: [  BEGIN   ] :: Running 'KinitAsAdmin'
:: [   PASS   ] :: Command 'KinitAsAdmin' (Expected 0, got 0)
:: [  BEGIN   ] :: Create a new CSR to work with :: actually running 'openssl req -new -config /tmp/tmp.7rYyhXdtt4/ipaqavme-cert-req.conf -out /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr'
Generating a 2048 bit RSA private key
....................+++
...................................+++
writing new private key to '/tmp/tmp.7rYyhXdtt4/ipaqavme.key'
-----
:: [   PASS   ] :: Create a new CSR to work with (Expected 0, got 0)
:: [  BEGIN   ] :: Request the csr into IPA :: actually running 'ipa cert-request --add --principal=EXAMPLE0857/ipaqavme.testrelm.test /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr > /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out 2>&1'
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out'
  Issuing CA: ipa
  Certificate: MIIEHDCCAwSgAwIBAgIBFTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA2MTI1ODAxWhcNMTkwNjA3MTI1ODAxWjA5MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR8wHQYDVQQDDBZpcGFxYXZtZS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsekfLh68zp142uTzAWDZ+Czsm+X7b9qawhZrgpjgzqCIezHTAIqbdHY8NmcnOs36aInYV0i1sfinLdEyTpAZgMi40UKn5dUVVRzRAkylN8xon+/anX6NdvYFIWpjN3Ihd2RQiEvvgTZgAHmabW1MdGiyIDjICjpm80ff3zKzJeMJSsjFfTFwXrUa+IcocvnTzs7oy9grWAiNawSXGtxNfzQFy3tePHFRonKcI+DRDD7US5TdHyCKxzLlL4ODVUZnY/zLu36Zh05e5c6oWAzCp5g1oUCYY788UO0Qqs9FfAvhSaTg1dFr9zKToCHpRbpQajKpiYTdTjxdV0qk7VOCQIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAUv8MBzauZ3tcNrEtadTcw6UKzx5owPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFE4xONkrBW3/Hmtu/RAe4cUNjlZtMA0GCSqGSIb3DQEBCwUAA4IBAQBGD69T41YyuxZPCARD8CzY2M2jRRQyw+5fabFHh/FMC/LjG/5YNYiYRCaUwZoxXAj04Wo5d1uy/vik2rwbr1geV65xrJDlyqv66JRPWOULwk6FYguHMzPRjMedpjcBCnElWDwJ6IdFz9xSw4CtqzlDT9SM24WTJ9xwD7kYDszJsyLb5Jb5ooaHLXVeptIjrT0Boiip8BnVAyMMuUqOIqul7Pt8sL11ny4iO8Xa8PkqQUlvjzr1r5Y+ayxq+qcekvIXh7i9b8NikLlaQ7SEE+wHhf2+m2k77jBb16LSm1tp55UmSrTdSjlk6Rtc8uCoTSkLmlTk3mC9+u2uuphLmK2G
  Subject: CN=ipaqavme.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jun 06 12:58:01 2017 UTC
  Not After: Fri Jun 07 12:58:01 2019 UTC
  Serial number: 21
  Serial number (hex): 0x15
:: [   PASS   ] :: Command 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out' (Expected 0, got 0)

THus on the basis of above observations, marking the status of bug to "VERIFIED".

Comment 6 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.