PyAsn1Error when trying to renew certs
For some reason certmonger failed to renew my certs earlier this month. I've gone through everything I was able to find online about rolling back the date to renew the certificates manually to no avail and I've been trying suggestions from <email address hidden>, also nothing that has helped yet.
On freeipa-users, they think that probably the certificate is being issued properly but then throwing an error while being parsed by pyasn1 based on the errors in the apache log (appended)
Based on that, the last thing that I tried was trying to rollback the pyasn1 version, but still got the same error.
I'm on 18.04 with 4.7.0~pre1+
python-pyasn1: 0.4.2-3
python-
I was going to bite-the-bullet and try upgrading to 20.04, until I saw that the server isn't *in* 20.04.
Any thoughts or suggestions would be greatly appreciated.
Apache:
-----
[Thu Oct 08 00:02:02.421838 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
[Thu Oct 08 00:02:02.421902 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] Traceback (most recent call last):
[Thu Oct 08 00:02:02.421914 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.421925 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] result = command(*args, **options)
[Thu Oct 08 00:02:02.421935 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.421972 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.__
[Thu Oct 08 00:02:02.421989 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422005 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ret = self.run(*args, **options)
[Thu Oct 08 00:02:02.422021 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422034 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] return self.execute(*args, **options)
[Thu Oct 08 00:02:02.422048 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422062 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] self.obj.
[Thu Oct 08 00:02:02.422072 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422082 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] cert.san_
[Thu Oct 08 00:02:02.422092 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422102 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] gns = self.__
[Thu Oct 08 00:02:02.422112 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422123 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ext['extnValue'], asn1Spec=
[Thu Oct 08 00:02:02.422133 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] File "/usr/lib/
[Thu Oct 08 00:02:02.422143 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
[Thu Oct 08 00:02:02.422153 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] PyAsn1Error: <TagSet object at 0x7ff98039fc90 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7ff98039f8d0 tagSet <TagSet object at 0x7ff99bed4290 tags 0:0:4> encoding iso-8859-1>
[Thu Oct 08 00:02:02.422713 2020] [wsgi:error] [pid 7261] [remote 10.1.5.4:58624] ipa: INFO: [xmlserver] <email address hidden>: cert_request(
-----
getcert list:
-----
Number of certificates and requests being tracked: 9.
Request ID '20181021083324':
status: MONITORING
stuck: no
key pair storage: type=FILE,
certificate: type=FILE,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=IPA RA,O=MYREALM.COM
expires: 2022-09-02 02:33:38 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083404':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=localhost
expires: 2022-09-05 12:15:19 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083405':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=localhost
expires: 2020-10-13 12:14:21 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083406':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=localhost
expires: 2020-10-13 12:15:01 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083407':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=localhost
expires: 2020-10-10 02:34:28 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083408':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: dogtag-
issuer: CN=Certificate Authority,
subject: CN=localhost
expires: 2020-10-13 12:14:29 MDT
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command: /usr/lib/
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083613':
status: CA_UNREACHABLE
ca-error: Server at https:/
stuck: no
key pair storage: type=NSSDB,
certificate: type=NSSDB,
CA: IPA
issuer: CN=Certificate Authority,
subject: CN=ipa01.
expires: 2020-10-21 02:36:13 MDT
dns: ipa01.mydomain.com
principal name: <email address hidden>
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command:
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083714':
status: NEED_CSR_GEN_PIN
stuck: yes
key pair storage: type=FILE,
certificate: type=FILE,
CA: IPA
issuer: CN=Certificate Authority,
subject: CN=ipa01.
expires: 2020-10-21 02:37:17 MDT
dns: ipa01.mydomain.com
principal name: <email address hidden>
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command:
post-save command: /usr/lib/
track: yes
auto-renew: yes
Request ID '20181021083724':
status: CA_UNREACHABLE
ca-error: Server at https:/
stuck: no
key pair storage: type=FILE,
certificate: type=FILE,
CA: IPA
issuer: CN=Certificate Authority,
subject: CN=ipa01.
expires: 2020-10-21 02:37:25 MDT
principal name: <email address hidden>
key usage: digitalSignatur
eku: id-kp-serverAut
pre-save command:
post-save command: /usr/lib/
track: yes
auto-renew: yes
Question information
- Language:
- English Edit question
- Status:
- Expired
- For:
- Ubuntu freeipa Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply: