On 12/24/19 10:26 AM, Petar Kozić via FreeIPA-users wrote:
I found that is bug in python module.
I solved and installed my SSL when I do this:
https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157
Can this be a problem in the future if I continue to using Let’s encrypt?
> Full debug log:
>
>
> ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
> 'dbm:/tmp/tmpBxKREw', '-V', '-n',
"my.real.domain.name.is.here - Let's
> Encrypt", '-u', 'V', '-f',
'/tmp/tmpBxKREw/pwdfile.txt']
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid
>
> ipapython.ipautil: DEBUG: stderr=
> ipapython.admintool: DEBUG: File
> "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174,
> in execute
> return_value = self.run()
> File
>
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
> line 116, in run
> self.replace_http_cert()
> File
>
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
> line 156, in replace_http_cert
> host_name=api.env.host
> File
>
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
> line 201, in load_pkcs12
> **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py",
> line 1193, in load_pkcs12
> nssdb.verify_server_cert_validity(key_nickname, host_name)
> File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line
> 858, in verify_server_cert_validity
> cert.match_hostname(hostname)
> File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in
> match_hostname
> values = self.san_a_label_dns_names
> File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in
> san_a_label_dns_names
> gns = self.__pyasn1_get_san_general_names()
> File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in
> __pyasn1_get_san_general_names
> ext['extnValue'], asn1Spec=univ.OctetString())[0]
> File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py",
> line 1318, in __call__
> '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
>
Hi,
the message looks similar to the one from issue 7685
(
https://pagure.io/freeipa/issue/7685), which was solved in ipa 4.7.1.
Which version of freeipa are you using? And which version of python3-pyasn1?
flo
> ipapython.admintool: DEBUG: The ipa-server-certinstall command
failed,
> exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16>
> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet
> <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1>
> ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags
> 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0
> tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1>
> ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
>
>> Thank you, when I put path looks different, but with new error :(
>>
>>
>> <TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec:
>> <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at
>> 0x7f0e1d9323d0 tags 0:0:4>
>> encoding iso-8859-1>
>> The ipa-server-certinstall command failed.
>>
>>
>>
>> On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud
>> (flo(a)redhat.com <mailto:flo@redhat.com>) wrote:
>>
>>> On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
>>> > Hi folks,
>>> >
>>> > I have one IPA server in production for my small environment. There I
>>> > set Let’s Encrypt CA root and issue .p12 cert without problem.
>>> >
>>> > Now, I want to install FreeIPA on VPS, but I have problem with Let’s
>>> > encrypt SSL. I can’t import SSL.
>>> >
>>> > First, I imported CA certficates:
>>> >
>>> > ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
>>> >
>>> > ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
>>> >
>>> > ipa-certupdate -v
>>> >
>>> > That’s all ok.
>>> >
>>> > But than, I generate new p12
>>> >
>>> > with command:
>>> >
>>> > openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12
>>> > -certfile fullchain.pem
>>> >
>>> > Than, ask me for pass and that all is ok.
>>> >
>>> > When I run:
>>> >
>>> > ipa-server-certinstall -w ipa.p12 -v
>>> >
>>> > ask me for Directory pass and pass which I enter in step above,
>>> > than I get error:
>>> >
>>> > ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736
>>> > ipapython.ipautil: DEBUG: Starting external process
>>> > ipapython.ipautil: DEBUG: args=['/usr/bin/certutil',
'-d',
>>> > '/tmp/tmpauWQ5Z', '-N', '-f',
'/tmp/tmpauWQ5Z/pwdfile.txt', '-@',
>>> > '/tmp/tmpauWQ5Z/pwdfile.txt']
>>> > ipapython.ipautil: DEBUG: Process finished, return code=0
>>> > ipapython.ipautil: DEBUG: stdout=
>>> > ipapython.ipautil: DEBUG: stderr=
>>> > ipapython.ipautil: DEBUG: Starting external process
>>> > ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util',
'-d',
>>> > 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12',
'-k',
>>> > '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w',
'/tmp/tmp66gfLt']
>>> > ipapython.ipautil: DEBUG: Process finished, return code=10
>>> > ipapython.ipautil: DEBUG: stdout=
>>> > ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12:
>>> > PR_FILE_NOT_FOUND_ERROR: File not found
>>> >
>>> > ipapython.admintool: DEBUG: File
>>> > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py",
line 174, in
>>> > execute
>>> > return_value = self.run()
>>> > File
>>> >
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
>>> > line 116, in run
>>> > self.replace_http_cert()
>>> > File
>>> >
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
>>> > line 156, in replace_http_cert
>>> > host_name=api.env.host
>>> > File
>>> >
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
>>> > line 201, in load_pkcs12
>>> > **kwargs)
>>> > File
>>> >
"/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py",
>>> > line 1151, in load_pkcs12
>>> > raise ScriptError(str(e))
>>> >
>>> > ipapython.admintool: DEBUG: The ipa-server-certinstall command failed,
>>> > exception: ScriptError: Failed to load ipa.p12
>>> > ipapython.admintool: ERROR: Failed to load ipa.p12
>>> > ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
>>> >
>>> >
>>> > Some ideas ?
>>> >
>>> Hi,
>>> Did you try to provide the full path to ipa.p12? Check the file
>>> permissions?
>>>
>>> flo
>>> > *—*
>>> > *
>>> > *
>>> > *Petar Kozić*
>>> > System Administrator
>>> >
>>> > *mobile: *+381 6 <callto:+381%2060%2006%2088%20008>4 83 44 310*
>>> > *
>>> > *e-mail:* petar.kozic(a)mint.rs <mailto:petar.kozic@mint.rs>
>>> <mailto:petar.kozic@mint.rs <mailto:petar.kozic@mint.rs>>
>>> >
>>> > Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
>>> >
>>> > _______________________________________________
>>> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>> > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> >
>>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...