Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455862

Summary: "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bašti <mbasti>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: cobrown, ksiddiqu, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:51:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Bašti 2017-05-26 10:37:22 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6749

Description:
`ipa: ERROR: an internal error has occurred` on executing command `ipa cert-request --add` after upgrade.

Version:
ipa-server-4.4.90-201703072305.el7.x86_64

Steps to Reproduce:
1. Upgrade IPA server configured on RHEL 7.3.z ito RHEL 7.4 (copr build)
ipa-server-4.4.90-201703072305.el7.x86_64. ( #yum -y update 'ipa*' sssd).
2. Upgrade process completes.
3. After upgrade run the following commands:
```text
  #  kinit admin
  # echo '[ req ]
default_bits = 2048' > IPAMASTER-cert-req.conf
  # echo "default_keyfile = IPAMASTER.key" >> IPAMASTER-cert-req.conf
  # echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> IPAMASTER-cert-req.conf
    # echo "CN = IPAMASTER.testrelm.test" >> IPAMASTER-cert-req.conf
    # csrfile="IPAMASTER.testrelm.test-cert-req.csr"
    # testprinc="EXAMPLE$(date +%H%M)/IPAMASTER.testrelm.test"
    # openssl req -new -config IPAMASTER-cert-req.conf -out $csrfile
    # ipa cert-request --add --principal=$testprinc $csrfile
```
Actual Result:
1. After step3, following error message is received:
`ipa: ERROR: an internal error has occurred`
2. Under "/var/log/httpd/error_log" following error is noticed:
```text
[Fri Mar 10 03:53:07.894514 2017] [:error] [pid 12952] ipa: ERROR: non-public: AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894531 2017] [:error] [pid 12952] Traceback (most recent call last):
[Fri Mar 10 03:53:07.894533 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Fri Mar 10 03:53:07.894535 2017] [:error] [pid 12952]     result = command(*args, **options)
[Fri Mar 10 03:53:07.894537 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Mar 10 03:53:07.894539 2017] [:error] [pid 12952]     return self.__do_call(*args, **options)
[Fri Mar 10 03:53:07.894541 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Mar 10 03:53:07.894543 2017] [:error] [pid 12952]     ret = self.run(*args, **options)
[Fri Mar 10 03:53:07.894545 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Mar 10 03:53:07.894546 2017] [:error] [pid 12952]     return self.execute(*args, **options)
[Fri Mar 10 03:53:07.894548 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 805, in execute
[Fri Mar 10 03:53:07.894550 2017] [:error] [pid 12952]     self.obj._parse(result, all)
[Fri Mar 10 03:53:07.894552 2017] [:error] [pid 12952]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 388, in _parse
[Fri Mar 10 03:53:07.894553 2017] [:error] [pid 12952]     obj['serial_number'] = cert.serial_number
[Fri Mar 10 03:53:07.894555 2017] [:error] [pid 12952] AttributeError: '_Certificate' object has no attribute 'serial_number'
[Fri Mar 10 03:53:07.894745 2017] [:error] [pid 12952] ipa: INFO: [jsonserver_session] admin: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UE\\nBxMDU0ZPMRowGAYDVQQKExFSZWRIYXQgVGVjaG5vbG9neTESMBAGA1UECxMJUmVk\\nSGF0IElUMSkwJwYDVQQDEyBhdXRvLWh2LTAyLWd1ZXN0MDEudGVzdHJlbG0udGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTVZBmIpq0qJQGiPDNF\\n7zvoHhd4Q0nledb5T3RBMqBitj++yixbr1O/xnBXiaJxK7agt/3mTT0MBLjRMl+m\\nk/T65LHlcraw/v71H8x5temk5zEucX5iV8utqd+1Z2wmxzkAU7BZ9Am7u+P6Ml3Q\\nNAmU4+N3Gg0W8R/RL4Atu6bsr818RZGcciYBLNCGAJJRZLI3WoljNVzCeAQu3MFt\\nTG/tkEfb+bENrh2ONygWzBx2ngHg5ZQWfh5YYekO0HgRrD3u7hJPJfKVTt8vo2fk\\nRk7ghBdX7qXlBzG384M3p0851ZkMAe1Wv1VQ9y6Ct8Dkfacqagp1QyAGTvVK5EnY\\nGbECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCzxF4mD3mfm6GyE3FzTyt2k7DY\\nP+xnJ5IgXD0N2iIiLagmFu8K5V1vrY8OQZvvOWQegcfgpU65fqM2OSQJRcF69if4\\nI7Is/SRUbdX45CVjDiemxElOkjcMJlZv6iCypwFIPjebr6xKtNg9IFvYlX9M0nlm\\ngYKCMQ4RItsIrmoD+MP49EDPcrw7Ut7Q+pG/hLQu/XEL5hGLasJyxsw2tLOEzv5Q\\nArJZ96Xvur6U/prysjk5LClNLo8TU+VVFrVwpfxv6D6NjLL99ewmeSksgnbNVnYp\\nWCYdS5DNrYBBtiRo82TOsiEsv0Y6XTMgcr/qYy6J95gNvydNSFr5PI9a/qip\\n-----END CERTIFICATE REQUEST-----\\n', principal=u'EXAMPLE0352/auto-hv-02-guest01.testrelm.test', add=True, version=u'2.219'): InternalError
```

Expected Result:
No Error message should be received.
Comment 2 Martin Bašti 2017-05-26 10:39:11 UTC 
master:

9149f2d9c6e90f6dd974ea4317f71d17db3c869c Change python-cryptography to python2-cryptography

ipa-4-5:

14ff94a0d481051613338a512260b6a473671538 Change python-cryptography to python2-cryptography
Comment 4 Nikhil Dehadrai 2017-06-06 15:37:33 UTC 
IPA-server: ipa-server-4.5.0-14.el7.x86_64

1. Verified that the error "ipa: ERROR: an internal error has occurred" after execution of command "ipa cert-request --add" is NOT observed after upgrade.
2. Refer the output for test case:

:: [  BEGIN   ] :: Running 'KinitAsAdmin'
:: [   PASS   ] :: Command 'KinitAsAdmin' (Expected 0, got 0)
:: [  BEGIN   ] :: Create a new CSR to work with :: actually running 'openssl req -new -config /tmp/tmp.7rYyhXdtt4/ipaqavme-cert-req.conf -out /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr'
Generating a 2048 bit RSA private key
....................+++
...................................+++
writing new private key to '/tmp/tmp.7rYyhXdtt4/ipaqavme.key'
-----
:: [   PASS   ] :: Create a new CSR to work with (Expected 0, got 0)
:: [  BEGIN   ] :: Request the csr into IPA :: actually running 'ipa cert-request --add --principal=EXAMPLE0857/ipaqavme.testrelm.test /tmp/tmp.7rYyhXdtt4/ipaqavme.testrelm.test-cert-req.csr > /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out 2>&1'
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out'
  Issuing CA: ipa
  Certificate: MIIEHDCCAwSgAwIBAgIBFTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA2MTI1ODAxWhcNMTkwNjA3MTI1ODAxWjA5MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR8wHQYDVQQDDBZpcGFxYXZtZS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsekfLh68zp142uTzAWDZ+Czsm+X7b9qawhZrgpjgzqCIezHTAIqbdHY8NmcnOs36aInYV0i1sfinLdEyTpAZgMi40UKn5dUVVRzRAkylN8xon+/anX6NdvYFIWpjN3Ihd2RQiEvvgTZgAHmabW1MdGiyIDjICjpm80ff3zKzJeMJSsjFfTFwXrUa+IcocvnTzs7oy9grWAiNawSXGtxNfzQFy3tePHFRonKcI+DRDD7US5TdHyCKxzLlL4ODVUZnY/zLu36Zh05e5c6oWAzCp5g1oUCYY788UO0Qqs9FfAvhSaTg1dFr9zKToCHpRbpQajKpiYTdTjxdV0qk7VOCQIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAUv8MBzauZ3tcNrEtadTcw6UKzx5owPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFE4xONkrBW3/Hmtu/RAe4cUNjlZtMA0GCSqGSIb3DQEBCwUAA4IBAQBGD69T41YyuxZPCARD8CzY2M2jRRQyw+5fabFHh/FMC/LjG/5YNYiYRCaUwZoxXAj04Wo5d1uy/vik2rwbr1geV65xrJDlyqv66JRPWOULwk6FYguHMzPRjMedpjcBCnElWDwJ6IdFz9xSw4CtqzlDT9SM24WTJ9xwD7kYDszJsyLb5Jb5ooaHLXVeptIjrT0Boiip8BnVAyMMuUqOIqul7Pt8sL11ny4iO8Xa8PkqQUlvjzr1r5Y+ayxq+qcekvIXh7i9b8NikLlaQ7SEE+wHhf2+m2k77jBb16LSm1tp55UmSrTdSjlk6Rtc8uCoTSkLmlTk3mC9+u2uuphLmK2G
  Subject: CN=ipaqavme.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jun 06 12:58:01 2017 UTC
  Not After: Fri Jun 07 12:58:01 2019 UTC
  Serial number: 21
  Serial number (hex): 0x15
:: [   PASS   ] :: Command 'cat /tmp/tmp.7rYyhXdtt4/tmpout.ipa_quicktest_ipa_ca_dns_setup.out' (Expected 0, got 0)

THus on the basis of above observations, marking the status of bug to "VERIFIED".
Comment 6 errata-xmlrpc 2017-08-01 09:51:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304