I'm not great with Debian-based systems but apt show
python-pyasn1
should provide the version of pyasn1 that is installed.
IPA 4.6.x is python2-based.
The problem isn't the request it's an ASN.1 parsing error. I'm guessing
that the CA is issuing the new cert ok but because of the parsing issue
it is blow up inside IPA so it can't be further processed.
So solving the python-pyasn1 issue could just fix everything. You might
try downgrading it.
RHEL-7, which has IPA 4.6.6 uses python2-pyasn1-0.1.9-7.el7.
I thought I would just bite the bullet and try upgrading the
distribution and then presumably IPA, but it looks like Ubuntu has
pulled freeipa-server from 20.04 entirely because of a bug in bind. :(
And there doesn't appear to be backport or anything.
It occurred to me to look in the webui and after working around another
bug on the Authenication>Certificates page, it is clear that new certs
are being issued everytime certmonger tries—I now have >50 of the same
two certs (two are created each time certmonger is restarted). If I try
to view any of those, I get the identical PyASN1 error both on screen
and in the apache log
Inferring from the logs and getcert list, I believe they are the certs in:
/var/lib/krb5kdc and
/etc/dirsrv/slapd-MYREALM-COM/Server-Cert
Are each of those being stored in the back end some where they might be
exported? Or are they lost because they are not being written to disk?
Is there a way I can just generate new certificates or somehow manually
bypass certmonger?
Thanks,
Sean