Discussion:
certmaster segfault and incorrect responses
Lance Laursen
2011-06-02 03:18:58 UTC
Permalink
Hi list,

First issue:
On a vanilla, base install CentOS5.5 and on a fully updated CentOS5.6, after
doing 'yum install certmaster' ( certmaster-0.28-1.el5 , EPEL ), starting
certmaster results in the following line:

"Starting certmaster daemon: /bin/bash: line 1: 2477 Segmentation fault
certmaster --daemon"

Starting certmaster again results in it starting and binding to its default
port. I have strace output of certmaster --daemon when this occurs, but to
repro just rm -rf /etc/pki/certmaster and restart the daemon.


Second issue, likely related to first issue:
Running the following, without changing any configs and with having
'certmaster' resolvable and running (and nc'ing crap to it from minion
results in an http 400 being returned) results in this:

[***@minion]# certmaster-request
Traceback (most recent call last):
File "/usr/bin/certmaster-request", line 23, in ?
requester.request_cert()
File "/usr/lib/python2.4/site-packages/certmaster/requester.py", line 22,
in request_cert
utils.create_minion_keys(hostname)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line 174, in
create_minion_keys
result, cert_string, ca_cert_string = submit_csr_to_master(csr_file,
master_uri)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line 246, in
submit_csr_to_master
return s.wait_for_cert(csr)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1096, in __call__
return self.__send(self.__name, args)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1383, in __request
verbose=self.__verbose
File "/usr/lib64/python2.4/xmlrpclib.py", line 1147, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1286, in _parse_response
return u.close()
File "/usr/lib64/python2.4/xmlrpclib.py", line 744, in close
raise Fault(**self._stack[0])
xmlrpclib.Fault: <Fault 1: "exceptions.AttributeError:'CertMaster' object
has no attribute 'handlers'">
From strace and tcpdump output, the certmaster server is responding to the
minion, just not with the correct output I assume. Nothing special in
/var/log/certmaster, even after adding log_level = DEBUG to certmaster.conf.

This is running certmaster-0.28-1.el5. Both issues happen on a base install
CentOS5.5, as well as a fully updated base install CentOS5.6. Wanted to
throw this issue at the list before debugging further to see if this is a
known issue with the new package.

Regards,
seth vidal
2011-06-02 04:17:10 UTC
Permalink
Post by Lance Laursen
Hi list,
On a vanilla, base install CentOS5.5 and on a fully updated CentOS5.6,
after doing 'yum install certmaster' ( certmaster-0.28-1.el5 ,
"Starting certmaster daemon: /bin/bash: line 1: 2477 Segmentation
fault certmaster --daemon"
Starting certmaster again results in it starting and binding to its
default port. I have strace output of certmaster --daemon when this
occurs, but to repro just rm -rf /etc/pki/certmaster and restart the
daemon.
Running the following, without changing any configs and with having
'certmaster' resolvable and running (and nc'ing crap to it from minion
File "/usr/bin/certmaster-request", line 23, in ?
requester.request_cert()
File "/usr/lib/python2.4/site-packages/certmaster/requester.py",
line 22, in request_cert
utils.create_minion_keys(hostname)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line
174, in create_minion_keys
result, cert_string, ca_cert_string =
submit_csr_to_master(csr_file, master_uri)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line
246, in submit_csr_to_master
return s.wait_for_cert(csr)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1096, in __call__
return self.__send(self.__name, args)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1383, in __request
verbose=self.__verbose
File "/usr/lib64/python2.4/xmlrpclib.py", line 1147, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1286, in
_parse_response
return u.close()
File "/usr/lib64/python2.4/xmlrpclib.py", line 744, in close
raise Fault(**self._stack[0])
xmlrpclib.Fault: <Fault 1: "exceptions.AttributeError:'CertMaster'
object has no attribute 'handlers'">
From strace and tcpdump output, the certmaster server is responding to
the minion, just not with the correct output I assume. Nothing special
in /var/log/certmaster, even after adding log_level = DEBUG to
certmaster.conf.
This is running certmaster-0.28-1.el5. Both issues happen on a base
install CentOS5.5, as well as a fully updated base install CentOS5.6.
Wanted to throw this issue at the list before debugging further to see
if this is a known issue with the new package.
Odd, I've not seen this on my centos5.X and rhel5.x boxes (5.5 and 5.6).

Can you do an rpm -Va on your python pkgs and func/certmaster pkgs? Just
to be sure.

thanks
-sv
Lance Laursen
2011-06-02 19:04:38 UTC
Permalink
Sure. fwiw, i'm seeing this on physical systems as well as a bran new VM I
spun up with the CentOS5.5 DVD, with no packages selected aside from base.

rpm -Va shows results for openldap/pam stuff and not much else. Doesn't seem
to return anything when I use packagename-with-full-versioning.1.2.3 so
excuse the messy perl that strips off versioning.


[***@centvirt5 ~]# rpm -Va {func,certmaster,python}
[***@centvirt5 ~]# rpm -qa|grep pyth|perl -pe 's/(\w+\-\w+)\-.+/$1/'|xargs
rpm -Va
[***@centvirt5 ~]#

Regards,
Post by seth vidal
Post by Lance Laursen
Hi list,
On a vanilla, base install CentOS5.5 and on a fully updated CentOS5.6,
after doing 'yum install certmaster' ( certmaster-0.28-1.el5 ,
"Starting certmaster daemon: /bin/bash: line 1: 2477 Segmentation
fault certmaster --daemon"
Starting certmaster again results in it starting and binding to its
default port. I have strace output of certmaster --daemon when this
occurs, but to repro just rm -rf /etc/pki/certmaster and restart the
daemon.
Running the following, without changing any configs and with having
'certmaster' resolvable and running (and nc'ing crap to it from minion
File "/usr/bin/certmaster-request", line 23, in ?
requester.request_cert()
File "/usr/lib/python2.4/site-packages/certmaster/requester.py",
line 22, in request_cert
utils.create_minion_keys(hostname)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line
174, in create_minion_keys
result, cert_string, ca_cert_string =
submit_csr_to_master(csr_file, master_uri)
File "/usr/lib/python2.4/site-packages/certmaster/utils.py", line
246, in submit_csr_to_master
return s.wait_for_cert(csr)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1096, in __call__
return self.__send(self.__name, args)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1383, in __request
verbose=self.__verbose
File "/usr/lib64/python2.4/xmlrpclib.py", line 1147, in request
return self._parse_response(h.getfile(), sock)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1286, in
_parse_response
return u.close()
File "/usr/lib64/python2.4/xmlrpclib.py", line 744, in close
raise Fault(**self._stack[0])
xmlrpclib.Fault: <Fault 1: "exceptions.AttributeError:'CertMaster'
object has no attribute 'handlers'">
From strace and tcpdump output, the certmaster server is responding to
the minion, just not with the correct output I assume. Nothing special
in /var/log/certmaster, even after adding log_level = DEBUG to
certmaster.conf.
This is running certmaster-0.28-1.el5. Both issues happen on a base
install CentOS5.5, as well as a fully updated base install CentOS5.6.
Wanted to throw this issue at the list before debugging further to see
if this is a known issue with the new package.
Odd, I've not seen this on my centos5.X and rhel5.x boxes (5.5 and 5.6).
Can you do an rpm -Va on your python pkgs and func/certmaster pkgs? Just
to be sure.
thanks
-sv
--
Lance Laursen
Demonware Systems Engineer
seth vidal
2011-06-02 20:36:28 UTC
Permalink
Post by Lance Laursen
Sure. fwiw, i'm seeing this on physical systems as well as a bran new
VM I spun up with the CentOS5.5 DVD, with no packages selected aside
from base.
rpm -Va shows results for openldap/pam stuff and not much else.
Doesn't seem to return anything when I use
packagename-with-full-versioning.1.2.3 so excuse the messy perl that
strips off versioning.
xargs rpm -Va
hmm - okay.

well just for your future use:

rpm -qa --qf "%{name}.%{arch}\n"


will give info in the format you'd want, I think.

--qf can be your friend - also look at repoquery in yum-utils

-sv

Loading...