Client cert problem with Python 3.9.7 in Munki 5.6

65 views
Skip to first unread message

Rob Renstrom

unread,
Oct 26, 2021, 5:33:40 PM10/26/21
to munki-dev
There may be an issue in Munki 5.6 with Python 3.9.7 causing a crash at the client certificate authentication challenge. 

Appears something in new embedded Python is causing this, since reverting to Python 3.9.5 from prior Munki release works without crashing in Munki 5.6. 

    Authentication challenge for Host: ... Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate

    Client certificate required

    Accepted certificate-issuing authority: ...

    Found matching identity

    Will attempt to authenticate

/usr/local/munki/munkilib/gurl.py:721: UninitializedDeallocWarning: leaking an uninitialized object of type NSURLCredential
credential = NSURLCredential.alloc().initWithIdentity_certificates_persistence_(
2021-10-26 12:25:56.285 Python[15690:7875508] *** Terminating app due to uncaught exception 'OC_PythonException', reason: '<class 'ValueError'>: depythonifying 'pointer', got 'SecIdentityRef''
*** First throw call stack: 
(
0   CoreFoundation                      0x00007fff362ee035 __exceptionPreprocess + 256
1   libobjc.A.dylib                     0x00007fff60b56a17 objc_exception_throw + 48
2   CoreFoundation                      0x00007fff36307b95 -[NSException raise] + 9
3   _objc.cpython-39-darwin.so          0x0000000109895fee PyObjCErr_ToObjCWithGILState + 46
4   _objc.cpython-39-darwin.so          0x000000010987deba method_stub + 4986
5   libffi.dylib                        0x00007fff5fece9ea ffi_closure_unix64_inner + 485
6   libffi.dylib                        0x00007fff5fece0ee ffi_closure_unix64 + 70
7   Foundation                          0x00007fff384da954 -[NSBlockOperation main] + 68
8   Foundation                          0x00007fff384b057d -[__NSOperationInternal _start:] + 685
9   Foundation                          0x00007fff384da687 __NSOQSchedule_f + 227
10  libdispatch.dylib                   0x00007fff622d85f8 _dispatch_call_block_and_release + 12
11  libdispatch.dylib                   0x00007fff622d963d _dispatch_client_callout + 8
12  libdispatch.dylib                   0x00007fff622dbde6 _dispatch_continuation_pop + 414
13  libdispatch.dylib                   0x00007fff622db4a3 _dispatch_async_redirect_invoke + 703
14  libdispatch.dylib                   0x00007fff622e73bc _dispatch_root_queue_drain + 324
15  libdispatch.dylib                   0x00007fff622e7b46 _dispatch_worker_thread2 + 90
16  libsystem_pthread.dylib             0x00007fff625196b3 _pthread_wqthread + 583
17  libsystem_pthread.dylib             0x00007fff625193fd start_wqthread + 13
)
libc++abi.dylib: terminating with uncaught exception of type NSException
Abort trap: 6

Gregory Neagle

unread,
Oct 26, 2021, 5:36:17 PM10/26/21
to munki-dev
I have no way to reproduce this, so I look forward to more data and clues and possibly a resolution from those using client certs.

And a plea to please test when I release betas and release candidates so these issues are identified before release.

-Greg

--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/25c9fb63-fa52-406a-b8ec-ae623109e4f5n%40googlegroups.com.

Gregory Neagle

unread,
Oct 26, 2021, 5:49:36 PM10/26/21
to munki-dev
Note that PyObjC was also bumped; it’s equally or more likely this is a PyObjC regression than a Python regression.

-Greg

On Oct 26, 2021, at 2:33 PM, Rob Renstrom <rren...@gmail.com> wrote:

Gregory Neagle

unread,
Oct 26, 2021, 6:02:55 PM10/26/21
to munki-dev
I think you should open an issue on GitHub and mention @np5 as I believe he is the last person to touch that section of code.

-Greg

On Oct 26, 2021, at 2:33 PM, Rob Renstrom <rren...@gmail.com> wrote:

Rob Renstrom

unread,
Oct 26, 2021, 6:18:00 PM10/26/21
to munki-dev
Yep, just opened an issue.

Paul Hildahl

unread,
Oct 27, 2021, 1:53:01 PM10/27/21
to munki-dev
I'm seeing this issue with our 10.14.6 clients using certs, but not 10.15.7 or higher clients. Downgrade the 10.14.6 client to munkitools_python-3.9.5.4363 resolves the issue. 

Gregory Neagle

unread,
Oct 27, 2021, 3:18:27 PM10/27/21
to munk...@googlegroups.com
Would be helpful to add this info to the GitHub issue. 

Sent from my iPhone

On Oct 27, 2021, at 10:53 AM, Paul Hildahl <hild...@columbusacademy.org> wrote:

I'm seeing this issue with our 10.14.6 clients using certs, but not 10.15.7 or higher clients. Downgrade the 10.14.6 client to munkitools_python-3.9.5.4363 resolves the issue. 


On Tuesday, October 26, 2021 at 6:18:00 PM UTC-4 Rob Renstrom wrote:
Yep, just opened an issue.

--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.

Rob Renstrom

unread,
Oct 28, 2021, 5:18:32 PM10/28/21
to munki-dev
To close out this thread, Munki 5.6.1 fixes this issue.

Reply all
Reply to author
Forward
0 new messages