Sean McLennan via FreeIPA-users wrote:
What version of python-pyasn1 and pyasn1-modules is installed? You might try upgrading/downgrading them to see if that helps.
There are two versions: python-pyasn1(-modules) python3-pyasn1(-modules)
I tried to uninstall the first with apt—doing so was also going to remove all of freeipa(!) so I did not go through with that!
Digging a bit more, it appears that ipa is using the Apache2 wsgi mod to run python code and mod_wsgi is specifically Python 2.7. Also, in the apache error trace all the ipa-specific python files are in /usr/lib/python2.7/dist-packages/ and those don't exist anywhere else. So I'm thinking it's unlikely to be a version problem.
I'm not sure how to get any more information... is there a way to try and manually make the same requests on the command line and maybe get something more useful? Or is there away to manually just replace the expired cert with a new on?
I'm not great with Debian-based systems but apt show python-pyasn1 should provide the version of pyasn1 that is installed.
IPA 4.6.x is python2-based.
The problem isn't the request it's an ASN.1 parsing error. I'm guessing that the CA is issuing the new cert ok but because of the parsing issue it is blow up inside IPA so it can't be further processed.
So solving the python-pyasn1 issue could just fix everything. You might try downgrading it.
RHEL-7, which has IPA 4.6.6 uses python2-pyasn1-0.1.9-7.el7.
rob