[Freeipa-users] Re: Letsencrypt and IPA

I found that is bug in python module. I solved and installed my SSL when I do this: https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157 Can this be a problem in the future if I continue to using Let’s encrypt? > Full debug log: > > > ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', > 'dbm:/tmp/tmpBxKREw', '-V', '-n', "my.real.domain.name.is.here - Let's > Encrypt", '-u', 'V', '-f', '/tmp/tmpBxKREw/pwdfile.txt'] > ipapython.ipautil: DEBUG: Process finished, return code=0 > ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid > > ipapython.ipautil: DEBUG: stderr= > ipapython.admintool: DEBUG:   File > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, > in execute >     return_value = self.run() >   File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 116, in run > self.replace_http_cert() >   File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 156, in replace_http_cert > host_name=api.env.host >   File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 201, in load_pkcs12 >     **kwargs) >   File > "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", > line 1193, in load_pkcs12 > nssdb.verify_server_cert_validity(key_nickname, host_name) >   File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line > 858, in verify_server_cert_validity > cert.match_hostname(hostname) >   File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in > match_hostname >     values = self.san_a_label_dns_names >   File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in > san_a_label_dns_names >     gns = self.__pyasn1_get_san_general_names() >   File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in > __pyasn1_get_san_general_names >     ext['extnValue'], asn1Spec=univ.OctetString())[0] >   File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", > line 1318, in __call__ >     '%s not in asn1Spec: %r' % (tagSet, asn1Spec) >

> ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, > exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> > not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet > <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> > ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags > 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 > tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> > ipapython.admintool: ERROR: The ipa-server-certinstall command failed. > >> Thank you, when I put path looks different, but with new error :( >> >> >> <TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: >> <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at >> 0x7f0e1d9323d0 tags 0:0:4> >> encoding iso-8859-1> >> The ipa-server-certinstall command failed. >> >> >> >> On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud >> (flo(a)redhat.com <mailto:flo@redhat.com>) wrote: >> >>> On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote: >>> > Hi folks, >>> > >>> > I have one IPA server in production for my small environment. There I >>> > set Let’s Encrypt CA root and issue .p12 cert without problem. >>> > >>> > Now, I want to install FreeIPA on VPS, but I have problem with Let’s >>> > encrypt SSL. I can’t import SSL. >>> > >>> > First, I imported CA certficates: >>> > >>> > ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem >>> > >>> > ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer >>> > >>> > ipa-certupdate -v >>> > >>> > That’s all ok. >>> > >>> > But than, I generate new p12 >>> > >>> > with command: >>> > >>> > openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 >>> > -certfile fullchain.pem >>> > >>> > Than, ask me for pass and that all is ok. >>> > >>> > When I run: >>> > >>> > ipa-server-certinstall -w ipa.p12 -v >>> > >>> > ask me for Directory pass and pass which I enter in step above, >>> > than I get error: >>> > >>> > ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 >>> > ipapython.ipautil: DEBUG: Starting external process >>> > ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', >>> > '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', >>> > '/tmp/tmpauWQ5Z/pwdfile.txt'] >>> > ipapython.ipautil: DEBUG: Process finished, return code=0 >>> > ipapython.ipautil: DEBUG: stdout= >>> > ipapython.ipautil: DEBUG: stderr= >>> > ipapython.ipautil: DEBUG: Starting external process >>> > ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', >>> > 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', >>> > '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] >>> > ipapython.ipautil: DEBUG: Process finished, return code=10 >>> > ipapython.ipautil: DEBUG: stdout= >>> > ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: >>> > PR_FILE_NOT_FOUND_ERROR: File not found >>> > >>> > ipapython.admintool: DEBUG:   File >>> > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in >>> > execute >>> >     return_value = self.run() >>> >   File >>> > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", >>> > line 116, in run >>> >     self.replace_http_cert() >>> >   File >>> > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", >>> > line 156, in replace_http_cert >>> >     host_name=api.env.host >>> >   File >>> > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", >>> > line 201, in load_pkcs12 >>> >     **kwargs) >>> >   File >>> > "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", >>> > line 1151, in load_pkcs12 >>> >     raise ScriptError(str(e)) >>> > >>> > ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, >>> > exception: ScriptError: Failed to load ipa.p12 >>> > ipapython.admintool: ERROR: Failed to load ipa.p12 >>> > ipapython.admintool: ERROR: The ipa-server-certinstall command failed. >>> > >>> > >>> > Some ideas ? >>> > >>> Hi, >>> Did you try to provide the full path to ipa.p12? Check the file >>> permissions? >>> >>> flo >>> > *—* >>> > * >>> > * >>> > *Petar Kozić* >>> > System Administrator >>> > >>> > *mobile: *+381 6 <callto:+381%2060%2006%2088%20008>4 83 44 310* >>> > * >>> > *e-mail:* petar.kozic(a)mint.rs <mailto:petar.kozic@mint.rs> >>> <mailto:petar.kozic@mint.rs <mailto:petar.kozic@mint.rs>> >>> > >>> > Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija >>> > >>> > _______________________________________________ >>> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> <mailto:freeipa-users@lists.fedorahosted.org> >>> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >>> <mailto:freeipa-users-leave@lists.fedorahosted.org> >>> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> > >>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...