Unable to update server_public_cert_pem

[Kevin Kunkel]

Hello all,

We're transitioning to a new puppet server and CA. I've removed the certs and keys from the Datastore, but when I attempt to upload the new server_public_cert.pem, I'm getting

500 Internal Server Error

The server has either erred or is incapable of performing the requested operation.

The AppEngine logs show:

1. 64.129.148.114 - - [21/Oct/2014:09:44:15 -0700] "POST /auth HTTP/1.1" 403 84 - - "<myinstance>.appspot.com" ms=34 cpu_ms=0 cpm_usd=0.000009 app_engine_release=1.9.13 instance=00c61b117c8cf4cea5caf9ce947b3db032fa22aa

2. C2014-10-21 12:44:15.113

   server_public_cert_pem

3. E2014-10-21 12:44:15.113

   server_public_cert_pem
   Traceback (most recent call last):
     File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/auth/util.py", line 129, in GetCaParameters
       v = getattr(settings, settings_k)
     File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/settings.py", line 406, in __getattr__
       return self._Get(str(k).lower())
     File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/settings.py", line 855, in _Get
       raise AttributeError(k)
   AttributeError: server_public_cert_pem

4. C2014-10-21 12:44:15.114

   (ca_id = None) server_public_cert_pem

5. W2014-10-21 12:44:15.114

   handle_exception: Traceback (most recent call last):
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch
       return method(*args, **kwargs)
     File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/mac/munki/handlers/auth.py", line 80, in post
       auth1 = self.GetAuth1Instance(ca_id=ca_id)
     File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/mac/munki/handlers/auth.py", line 51, in GetAuth1Instance
       raise base.NotAuthenticated
   NotAuthenticated

What can I do to resolve this? Can I manually create the entry in the Datastore?

Thanks,

-Kevin

[Justin McWilliams]

Kevin,

Are you able to visit the admin UI for your app?  You should be able to use the Configuration page to upload new certs:  http://<myinstance>.appspot.com/admin/config

If that doesn't work, let me know the error and I can submit a fix.  It's possible to add the certs to Datastore, but not via a GUI; you must write/execute code.

- Justin

--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Kunkel]

Hi Justin,

Yes. I'm getting the 500 Internal Server error trying to upload the server public cert via the /admin/config URL. 

-Kevin

[Justin McWilliams]

On Tue, Oct 21, 2014 at 3:42 PM, Kevin Kunkel <kku...@indeed.com> wrote:

Hi Justin,

Yes. I'm getting the 500 Internal Server error trying to upload the server public cert via the /admin/config URL. 

Please let me know the traceback for that request.  The only one you included before was for /auth.  I don't think they'll be the same...

[Kevin Kunkel]

It took a bit to show up in the logs.... 

I have admins defined in ACL Groups, but it's been warning about that since the initial deployment

1. 64.129.148.114 - kkunkel [21/Oct/2014:12:48:10 -0700] "POST /admin/config HTTP/1.1" 500 225 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" "simianindeed.appspot.com" ms=1243 cpu_ms=953 cpm_usd=0.000025 app_engine_release=1.9.13 instance=00c61b117ca7a72888eb60f6da75ecd0bfaadb

2. W2014-10-21 15:48:09.749

   No admins defined! Configure admins in Admin Tools -> ACL Groups.

3. E2014-10-21 15:48:10.962

   TagSet(Tag(tagClass=128, tagFormat=0, tagId=2)) not in asn1Spec: None
   Traceback (most recent call last):
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1535, in __call__
       rv = self.handle_exception(request, response, e)
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1529, in __call__
       rv = self.router.dispatch(request, response)
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1278, in default_dispatcher
       return route.handler_adapter(request, response)
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1102, in __call__
       return handler.dispatch()
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 572, in dispatch
       return self.handle_exception(e, self.app.debug)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/mac/admin/__init__.py", line 128, in handle_exception
       super(AdminHandler, self).handle_exception(exception, debug_mode)
     File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch
       return method(*args, **kwargs)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/mac/admin/config.py", line 100, in post
       self._PemUpload()
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/mac/admin/config.py", line 204, in _PemUpload
       valid_pems = self._GetPems({pem: pem_file})
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/mac/admin/config.py", line 171, in _GetPems
       settings_module.CheckValuePemX509Cert(name, pem)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/settings.py", line 290, in CheckValuePemX509Cert
       unused = x509.LoadCertificateFromPEM(v)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 808, in LoadCertificateFromPEM
       return LoadCertificateFromBase64(pem_cert)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 787, in LoadCertificateFromBase64
       x.LoadFromByteString(d)
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 632, in LoadFromByteString
       cert.update(self._GetCertSequencesFromTopSequence(c))
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 591, in _GetCertSequencesFromTopSequence
       fields = self._GetFieldsFromSequence(seq[0])
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 470, in _GetFieldsFromSequence
       v3_output = self._GetV3ExtensionFieldsFromSequence(seq[7])
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/simian/auth/x509.py", line 367, in _GetV3ExtensionFieldsFromSequence
       encaps_seq = der_decoder.decode(octet_strings[0])[0]
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/pyasn1/codec/ber/decoder.py", line 730, in __call__
       stGetValueDecoder, decodeFun
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/pyasn1/codec/ber/decoder.py", line 313, in valueDecoder
       substrate, asn1Spec
     File "/base/data/home/apps/s~simianindeed/f613661be38c.379543534426938709/pyasn1/codec/ber/decoder.py", line 739, in __call__
       '%r not in asn1Spec: %r' % (tagSet, asn1Spec)
   PyAsn1Error: TagSet(Tag(tagClass=128, tagFormat=0, tagId=2)) not in asn1Spec: None

--
You received this message because you are subscribed to a topic in the Google Groups "Simian Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simian-discuss/ga4JL11nB78/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simian-discus...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Kevin Kunkel

IT Guy

kku...@indeed.com
212-379-7979

x10110

Indeed | How the World Works.™

100% of the talent in our new ad was hired on Indeed! Watch how we made it happen

[John Randolph]

I think your pem certificate is arranged in a different order than what we are used to. According to specs at the time I was led to believe the ordering for a ssl cert is standard and we have only coded minimal flexibility to accept key/value pairs in places they are not normally. For example, it is not at all likely that the subject will be in the end of the k/v pairs. 

so, to see what's going on, can you please run

openssl x509 -in cert.pem -text   > x509.txt

openssl asn1parse -in cert.pem > asn1p.txt

and cut out anything you consider sensitive (including your public key) and paste it or send it to Justin and I?

 

John Randolph -- Google New York -- Privacy Infrastructure

[Kevin Kunkel]

For those that stumble across this thread, the problem was that the certificate included DNS alt names. A certificate without them uploaded and worked just fine.

[John Randolph]

....and that altNames are encoded into the x509 cert really strangely, but that seems to be a normal with most things asn1.  (the structure that defines how a x509 cert is written)

[Kevin Murimi]

Hi all, 

I've encountered the same error with my Go Daddy issued certs and would like to know how you resolved the issue on your end. Thanks

[Maxim Ermilov]

Hi,

> I've encountered the same error with my Go Daddy

Did you try changing settings in /admin/config ?

_____

Maxim

--

You received this message because you are subscribed to the Google Groups "Simian Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.

[Kevin Murimi]

Changing which settings..?

_____

Maxim

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.

[bre...@plangrid.com]

Do you mean the required issuer setting?

CN=Puppet CA: puppetca.example.com

Can I add an additional issuer? Or do I need to regenerate the server public cert?

_____

Maxim

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.

[Maxim Ermilov]

> We're transitioning to a new puppet server and CA. I've removed the certs and keys from the Datastor

It possible to have multiple active CA at same time.

https://github.com/google/simian/blob/master/src/simian/auth/util.py#L80

Transition process:

1. add new CA to server

2. release new client with different default CA

3. remove old CA

> server_public_cert_pem

> Traceback (most recent call last):

>   File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/auth/util.py", line 129, in GetCaParameters

>    v = getattr(settings, settings_k)

>  File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/settings.py", line 406, in __getattr__

>    return self._Get(str(k).lower())

>  File "/base/data/home/apps/s~simianindeed/267m.376644404715082329/simian/settings.py", line 855, in _Get

>    raise AttributeError(k)

> AttributeError: server_public_cert_pem

This exception is raised because server_public_cert_pem is unset.

Setting it in /admin/config should solve problem.

_____

Maxim

To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.

[bre...@plangrid.com]

Here is the error I'm seeing:

15:33:45.003[128:0:2] not in asn1Spec: None (/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py:1552)

Traceback (most recent call last):

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1535, in __call__

    rv = self.handle_exception(request, response, e)

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1529, in __call__

    rv = self.router.dispatch(request, response)

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1278, in default_dispatcher

    return route.handler_adapter(request, response)

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1102, in __call__

    return handler.dispatch()

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 572, in dispatch

    return self.handle_exception(e, self.app.debug)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/mac/admin/__init__.py", line 176, in handle_exception

    super(AdminHandler, self).handle_exception(exception, debug_mode)

  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch

    return method(*args, **kwargs)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/mac/admin/config.py", line 94, in post

    self._PemUpload()

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/mac/admin/config.py", line 201, in _PemUpload

    valid_pems = self._GetPems({pem: pem_file})

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/mac/admin/config.py", line 168, in _GetPems

    settings_module.CheckValuePemX509Cert(name, pem)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/settings.py", line 265, in CheckValuePemX509Cert

    _ = x509.LoadCertificateFromPEM(v)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 855, in LoadCertificateFromPEM

    return LoadCertificateFromBase64(pem_cert)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 834, in LoadCertificateFromBase64

    x.LoadFromByteString(d)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 679, in LoadFromByteString

    cert.update(self._GetCertSequencesFromTopSequence(c))

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 638, in _GetCertSequencesFromTopSequence

    fields = self._GetFieldsFromSequence(seq[0])

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 517, in _GetFieldsFromSequence

    v3_output = self._GetV3ExtensionFieldsFromSequence(seq[7])

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/simian/auth/x509.py", line 376, in _GetV3ExtensionFieldsFromSequence

    encaps_seq = der_decoder.decode(octet_strings[0])[0]

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/pyasn1/codec/ber/decoder.py", line 825, in __call__

    stGetValueDecoder, self, substrateFun

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/pyasn1/codec/ber/decoder.py", line 342, in valueDecoder

    component, head = decodeFun(head, asn1Spec)

  File "/base/data/home/apps/s~pgsimian/ce05164fcb4b.400003637266687595/pyasn1/codec/ber/decoder.py", line 831, in __call__

    '%s not in asn1Spec: %s' % (tagSet, asn1Spec)

PyAsn1Error: [128:0:2] not in asn1Spec: None

[bre...@plangrid.com]

So I created a new cert from a CSR that doesn't have any Subject Alternative Names in it, however now I am getting this error via the web GUI:

PEM upload failed: X509 version 16396303755980455815 not supported

Any help is greatly appreciated.

[bre...@plangrid.com]

The issue I was running into was the cert I created was x509 v1, I created a v3 cert by following this advice:

http://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr