Sean McLennan via FreeIPA-users wrote:
I'm not great with Debian-based systems but apt show python-pyasn1 should provide the version of pyasn1 that is installed.
IPA 4.6.x is python2-based.
The problem isn't the request it's an ASN.1 parsing error. I'm guessing that the CA is issuing the new cert ok but because of the parsing issue it is blow up inside IPA so it can't be further processed.
So solving the python-pyasn1 issue could just fix everything. You might try downgrading it.
RHEL-7, which has IPA 4.6.6 uses python2-pyasn1-0.1.9-7.el7.
I thought I would just bite the bullet and try upgrading the distribution and then presumably IPA, but it looks like Ubuntu has pulled freeipa-server from 20.04 entirely because of a bug in bind. :( And there doesn't appear to be backport or anything.
It occurred to me to look in the webui and after working around another bug on the Authenication>Certificates page, it is clear that new certs are being issued everytime certmonger tries—I now have >50 of the same two certs (two are created each time certmonger is restarted). If I try to view any of those, I get the identical PyASN1 error both on screen and in the apache log
Inferring from the logs and getcert list, I believe they are the certs in: /var/lib/krb5kdc and /etc/dirsrv/slapd-MYREALM-COM/Server-Cert
Are each of those being stored in the back end some where they might be exported? Or are they lost because they are not being written to disk?
It wouldn't help since there are a bunch of other certificates that also need to be renewed and won't w/o a working CA.
Is there a way I can just generate new certificates or somehow manually bypass certmonger?
certmonger isn't the problem.
ipa-certfix can renew offline and would fix it but as discussed that isn't available.
What version of pyasn1 and pyasn1-modules do you have now? The version in RHEL that works with the 4.6 release hasn't been updated since 2016. It's upstream version 0.1.9 and modules version 0.0.8.
rob