1596161 – Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1596161 - Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012

Summary: Traceback in messages file during ipa-server-install: File "/usr/libexec/cert...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	1597514 1600356 1601959 1602149 (view as bug list)
Depends On:
Blocks:	1427105 1607616
TreeView+	depends on / blocked

Reported:	2018-06-28 10:56 UTC by Sudhir Menon
Modified:	2018-08-14 12:11 UTC (History)
CC List:	14 users (show)
Fixed In Version:	certmonger-0.78.4-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1607616 (view as bug list)
Environment:
Last Closed:	2018-08-14 12:00:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
messages (210.46 KB, text/plain) 2018-06-28 11:05 UTC, Sudhir Menon	no flags	Details
ipa-server-install log (4.13 MB, text/plain) 2018-06-28 11:12 UTC, Sudhir Menon	no flags	Details
View All

Description Sudhir Menon 2018-06-28 10:56:59 UTC

Description of problem: Traceback seen in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012

Version-Release number of selected component (if applicable):
[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

ipa-server-4.6.4-1.el7.x86_64
389-ds-base-1.3.8.2-1.el7.x86_64
certmonger-0.78.4-6.el7.x86_64
sssd-1.16.2-1.el7.x86_64
krb5-server-1.15.1-32.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
pki-server-10.5.9-1.el7.noarch
certmonger-0.78.4-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server
2. Check /var/log/messages

Actual results:
Traceback is seen in /var/log/messages file.

Jun 28 06:42:31 ipaqavma dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".

Expected results:
Traceback should be fixed.

Additional info:

Comment 2 Sudhir Menon 2018-06-28 11:05:39 UTC

Created attachment 1455240 [details]
messages

Comment 3 Sudhir Menon 2018-06-28 11:12:57 UTC

Created attachment 1455243 [details]
ipa-server-install log

Comment 5 Kaleem 2018-07-02 08:23:55 UTC

Sudhir,

Please provide the exact command used for ipa-server-install.

Comment 6 Sudhir Menon 2018-07-02 10:11:24 UTC

Kaleem,
I had actually used ipa-server-install with integrated DNS in an interactive installation, no specific command line options was provided.

Comment 7 Florence Blanc-Renaud 2018-07-10 04:52:30 UTC

The issue happens in api.bootstrap because this method is called with an env variable LANG/LC_ALL not set.
When certmonger is starting the CA helpers, it clears all the environment variables, but it should rather set LANG or LC_ALL to a suitable value (i.e. one for which sys.getfilesystemencoding() returns utf-8).

The fix already exists in certmonger and needs to be backported:
https://pagure.io/certmonger/c/0288d36e56bab788da3a494142bf9070f9f3aaf9?branch=master
Keep LC_*, LANG, set default LC_CTYPE

Moving to certmonger component.

Comment 8 Florence Blanc-Renaud 2018-07-10 04:55:55 UTC

*** Bug 1597514 has been marked as a duplicate of this bug. ***

Comment 9 Rob Crittenden 2018-07-16 16:52:06 UTC

*** Bug 1600356 has been marked as a duplicate of this bug. ***

Comment 10 Rob Crittenden 2018-07-17 15:09:10 UTC

*** Bug 1601959 has been marked as a duplicate of this bug. ***

Comment 11 Rob Crittenden 2018-07-17 22:38:28 UTC

*** Bug 1602149 has been marked as a duplicate of this bug. ***

Comment 13 Scott Poore 2018-07-24 14:03:42 UTC

I'm still seeing this traceback with the updated version of certmonger:

[root@vm-idm-037 log]# rpm -q certmonger
certmonger-0.78.4-8.el7.x86_64

From automation that failed ipa-certupdate:

STDERR:

The ipa-pkinit-manage command was successful
The ipa-cacert-manage command was successful
trying https://vm-idm-037.domain.scrubbed/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://vm-idm-037.domain.scrubbed/ipa/session/json'
Error resubmitting certmonger request '20180724014644', please check the request manually
The ipa-certupdate command failed.
Failed to update IPA CA certificate database

In /var/log/messages:

Jul 24 07:54:53 vm-idm-037 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 502, in main#012    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)#012  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap#012    raise errors.SystemEncodingError(encoding=fse)#012SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
Jul 24 07:54:53 vm-idm-037 certmonger: 2018-07-24 07:54:53 [16766] Internal error

Comment 14 Rob Crittenden 2018-07-24 14:19:26 UTC

Upon further review this is not an issue in certmonger at all. The failure is in the IPA-provided script. I'm going to roll back the patches to certmonger and remove this from the errata, and re-assign back to ipa project.

Comment 15 Rob Crittenden 2018-07-24 14:20:50 UTC

And further considering, let's leave this in for now and see what happens after ipa fixes it. If possible it would be good to test with certmonger 0.78.4-6 as well as 0.78.4-8 to see if behavior of certmonger has changed.

Comment 18 Fraser Tweedale 2018-08-02 13:10:35 UTC

The scope of the IPA issue is more than just certmonger: a lot of different things break if the system encoding is not utf-8.  See upstream
ticket https://pagure.io/freeipa/issue/7646.

Comment 19 Fraser Tweedale 2018-08-02 13:15:14 UTC

BZ for ipa component is https://bugzilla.redhat.com/show_bug.cgi?id=1598044.

Comment 22 Nikhil Dehadrai 2018-08-10 10:35:30 UTC

The issue mentioned in the bug also affects RFE at BZ1427105#c14 for scenario related to :

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "String-Name" in option '--external-ca-profile='

Setup IPA as SELF-SIGNED server and promote it to EXT-CA using  "OID" in option '--external-ca-profile='

Comment 23 Scott Poore 2018-08-13 14:28:24 UTC

Note that the ipa-certupdate issue I was seeing before seems to be resolved with the fixed version of certmonger and ipa:

https://bugzilla.redhat.com/show_bug.cgi?id=1598044#c14

Comment 24 Rob Crittenden 2018-08-14 12:00:47 UTC

I reverted the patches I added to handle LANG in build certmonger-0.78.4-9.el7 since these are unrelated to the underlying issue.

Note You need to log in before you can comment on or make changes to this bug.