Error getting the certificate chain - "error": "unexpected value of CertificateChain field: [map [__ base64__

[socza]

I have already described this problem on
guilhem/freeipa-issuer#19
and it looks like this project has a problem with that too.

[riton]

Hi @socza .
Can you provide more information / context ? What action are you trying to do ? With what kind of FreeIPA information / state ? What exact operation fails ?

[socza]

Hi @riton.
I am getting this error while generating a new certificate for the host.
The certificate was created successfully, but it does not contain an intermediate certificate in the chain.
I see this error in the logs:
{"level":"error","ts":1653289519.8080704,"logger":"controller.certificaterequest.sign","msg":"fail to get certificate FALLBACK","reconciler group":"cert-manager.io","reconciler kind":"CertificateRequest","name":"nginx-test-tls-fd2np","namespace":"socza","request":{"kind":"CertificateRequest","apiVersion":"cert-manager.io/v1","metadata":{"name":"nginx-test-tls-fd2np","generateName":"nginx-test-tls-","namespace":"socza","uid":"ae631121-4b1f-4c53-aae2-6828409f54f5","resourceVersion":"235283340","generation":1,"creationTimestamp":"2022-05-23T07:05:05Z","annotations":{"cert-manager.io/certificate-name":"nginx-test-tls","cert-manager.io/certificate-revision":"1","cert-manager.io/private-key-secret-name":"nginx-test-tls-fd5tx"},"ownerReferences":[{"apiVersion":"cert-manager.io/v1","kind":"Certificate","name":"nginx-test-tls","uid":"0f121fbf-d3c2-4b7f-8b6a-63598d643ca4","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"cert-manager-certificaterequests-approver","operation":"Update","apiVersion":"cert-manager.io/v1","time":"2022-05-23T07:05:05Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{".":{},"k:{\"type\":\"Approved\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}}}},"subresource":"status"},{"manager":"cert-manager-certificates-request-manager","operation":"Update","apiVersion":"cert-manager.io/v1","time":"2022-05-23T07:05:05Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:cert-manager.io/certificate-name":{},"f:cert-manager.io/certificate-revision":{},"f:cert-manager.io/private-key-secret-name":{}},"f:generateName":{},"f:ownerReferences":{".":{},"k:{\"uid\":\"0f121fbf-d3c2-4b7f-8b6a-63598d643ca4\"}":{}}},"f:spec":{".":{},"f:duration":{},"f:issuerRef":{".":{},"f:group":{},"f:kind":{},"f:name":{}},"f:request":{},"f:usages":{}}}}]},"spec":{"duration":"24h0m0s","issuerRef":{"name":"freeipa-issuer","kind":"ClusterIssuer","group":"certmanager.freeipa.org"},"request":"LS0tLS1Y3a............","usages":["server auth","client auth"],"username":"system:serviceaccount:cert-manager:cert-manager","uid":"215091e3-454c-4fd5-a996-bf765cd3a016","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-68b7c56885-dlmrv"],"authentication.kubernetes.io/pod-uid":["038c4acd-2c9b-4511-b68e-5ab38faa659d"]}},"status":{"conditions":[{"type":"Approved","status":"True","lastTransitionTime":"2022-05-23T07:05:05Z","reason":"cert-manager.io","message":"Certificate request has been approved by cert-manager.io"}]}},"requestResult":"CertRequestResult{\"result\":{\"cacn\":\"ipa\",\"certificate\":\"1UdHwRzMHE...........=\",\"issuer\":\"CN=WP Holding SA Private Development Intermediate IPA CA,O=WP Holding SA,C=PL\",\"request_id\":19990030,\"san_dnsname\":[{\"__dns_name__\":\"nginx-test.k8s.dc-2.dev.dcwp.pl\"}],\"serial_number\":536805400,\"serial_number_hex\":\"0x1FFF0018\",\"subject\":\"CN=nginx-test.k8s.dc-2.dev.dcwp.pl,O=WP Holding SA,C=PL\",\"valid_not_after\":\"Sun Jul 23 09:14:27 2023 UTC\",\"valid_not_before\":\"Mon May 23 07:05:17 2022 UTC\"},\"value\":19990030}",### "error":"unexpected value for field CertificateChain: [map[__base64__:MIIFkjCCA3qgAwIBAgIEH/8AGDA..............=] map[__base64__:MIIFtjCCA56gAwIBAgIUQr7jnCUR..............=] map[__base64__:MIIGIDCCBAigAwIBAgIUN...........]] ([]interface {})","stacktrace":"github.com/guilhem/freeipa-issuer/controllers.(*CertificateRequestReconciler).Reconcile\n\t/workspace/controllers/certificaterequest.go:164\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}

[yrro]

I'm also seeing this. If I can help test any changes please let me know.

[riton]

This would really help and save me some time if either @yrro or @socza could provide the FreeIPA commands ipa .... I should issue on a fresh FreeIPA server install to create the C.A and certificate and reproduce the problem. Thanks in advance

[yrro]

Here are the equivalent ipa commands against a test domain. I don't have freeipa-issuer pointing at this domain though. It will take some time but I can set up a test domain at work if it's needed.

[admin@ipa-test0 ~]$ openssl req -noenc -newkey rsa:3072 -keyout /var/tmp/issuerdemo-0.key -out /var/tmp/issuerdemo-0.csr -subj /CN=issuerdemo.example.qq
...+...+.......+......+.........+.....+......+............+....+......+.....+...+..........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+................+...+......+.....+.+.....+.++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++*.........+.......+............+..+.........+....+...+...+...........+.+..+.......+........+.+............+.....+...+.+.........+......+.....+......+.......+.....+......+.......+...+..+...+.......+..
.+......+...+......+.........+........+...........................+...+..........+..+............+......+...+....+.....+.......+...........+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..............+...+..+................+.....+...+.......+..+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+.+......+.....+
.+...........................+..+....+......+...+.....+.+.........+...........+.........+.......+...............+......+.....+...+.......+.................+............+................+...+..+....+........+..................+...+....+..+
..........+..................+......+......+........+......+.......+.....+..........+..+............+.............+..+.+.....+.........................+.................+.......+........+...+...+.+...+..+.+........................+...+..+
...+...+....+.........+........................+..+..................+............+............................+.....+......+.......+........+......+...+...............+...+...+................+...+..+....+.....+......................+..+
......+..........+..+..........+..+.....................+.+........+......+.+......+..+.......+......+..+......+.......+..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

[admin@ipa-test0 ~]$ ipa -vv cert-request /var/tmp/issuerdemo-0.csr --principal=HTTP/issuerdemo.example.qq --chain --certificate-out=/var/tmp/issuerdemo-0.crt --profile-id=caIPAserviceCert
ipa: INFO: Request: {
    "id": 0,
    "method": "cert_request/1",
    "params": [
        [
            "-----BEGIN CERTIFICATE REQUEST-----\nMIIDZTCCAc0CAQAwIDEeMBwGA1UEAwwVaXNzdWVyZGVtby5leGFtcGxlLnFxMIIB\nojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4t59e1DmPcVxuy7KX+Jz3af8\n5GptYa5ZAszDLglUFwAB7dohR48KmIszz1yFjxojNFOg3prhw6KvO22GPKRSgh4U\nQW94tW85BBIeg1H8n/ZEMWr6gjRqDe2asNr3i9ICETw70F472ighKvc9Aqpr0J8d\nDX26sLXgUytEC59FofMTdEfcS9YfqzBVYWnWEHV/hWFvxDMRlq+rBrHzIWwzTFTN\nDL+wAJ3CWBL+P0ZqDH6gf+u3UksOLe83PSSHa9v63owsk8Nx/TOzqM3sqysOdrk8\nTsL5VCjWT9J8kw2eokNirQwBpeTsHE2pIQOLTwk1JTzfZ1FpFuwD71uoKRS++eOX\n79HN08z4M4V18ABWIq7CPcxf4OWWiKa2ofX5Osbdi1slr6tlzI0TPDiuZ0ilN/iK\nAwHrTB0Ec9mITcIfvpew48rSqfWqs1tIfezJK96BHA0FSI9JzpreV2CiVMygktkZ\nMUAz0s1DFAyVxOcXXjw48FgpCmaihTuCR7dNGQdBAgMBAAGgADANBgkqhkiG9w0B\nAQsFAAOCAYEAsiRCMFqKDbbLIu3ylxUYIC+z+3jSYmOrGAC0jc5a3r3LXejhYswM\nyH/biUgfWx6SdGmzkgaG8m8nml3p6NPayyhgx1aw6fMr/gR9S1WKAfrKHVZ0a/Y+\nTS6h1WmAUW1NKe3371mO5f6ukh8KUC83UESiAz6TwFJHhgyo0T7I2smbUsYlBB2+\nPfPW4tPGPUsmb3headABI+wBOxmZTYF0++uUcRxamJbuiwG/gSArUgBV0WGDn0xk\nk97FHIJi5UEPlpjeaDgNY1/IYxIOmJcV0w+3ZNe9ZZNYoibANsTmrWp+QApsKUDo\nFW94tnc7Wlwnl3eeYOwgyThFgqeb42i+TFVBsLnhePYI1lr5/NpwXKgBCfyblm+L\nZpGesSWbV4eNxXnZ5IdEKVvtpIQvlV9T7D52I87Jl/cwbak/5HEeMsBdydnwMZ4f\nDQaGzirG98cCQg9fCo6PGmzGbWTGRPcL/NnJbNC2n15h1g64z7NfE1JZuaTAte3P\nYT5LFV7zCY7i\n-----END CERTIFICATE REQUEST-----\n"
        ],
        {
            "chain": true,
            "principal": "HTTP/issuerdemo.example.qq",
            "profile_id": "caIPAserviceCert",
            "version": "2.245"
        }
    ]
}
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "[email protected]",
    "result": {
        "result": {
            "cacn": "ipa",
            "certificate": "MIIFbDCCA9SgAwIBAgIBVDANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjA1MjcwODMzMDBaFw0yNDA1MjcwODMzMDBaME0xEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2lwYXRlc3QxHjAcBgNVBAMMFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOLefXtQ5j3Fcbsuyl/ic92n/ORqbWGuWQLMwy4JVBcAAe3aIUePCpiLM89chY8aIzRToN6a4cOirztthjykUoIeFEFveLVvOQQSHoNR/J/2RDFq+oI0ag3tmrDa94vSAhE8O9BeO9ooISr3PQKqa9CfHQ19urC14FMrRAufRaHzE3RH3EvWH6swVWFp1hB1f4Vhb8QzEZavqwax8yFsM0xUzQy/sACdwlgS/j9Gagx+oH/rt1JLDi3vNz0kh2vb+t6MLJPDcf0zs6jN7KsrDna5PE7C+VQo1k/SfJMNnqJDYq0MAaXk7BxNqSEDi08JNSU832dRaRbsA+9bqCkUvvnjl+/RzdPM+DOFdfAAViKuwj3MX+DlloimtqH1+TrG3YtbJa+rZcyNEzw4rmdIpTf4igMB60wdBHPZiE3CH76XsOPK0qn1qrNbSH3sySvegRwNBUiPSc6a3ldgolTMoJLZGTFAM9LNQxQMlcTnF148OPBYKQpmooU7gke3TRkHQQIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vaXBhLWNhLmlwYXRlc3QucXEvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwaqAyoDCGLmh0dHA6Ly9pcGEtY2EuaXBhdGVzdC5xcS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCUcrfBNP1vE+TYEyv+yYTOwvptIMCAGA1UdEQQZMBeCFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTANBgkqhkiG9w0BAQsFAAOCAYEADXLR61OfjXWaCbQY13E6ENPVqcUuUUP9ug7sEsNe3JYeXqVjxKoLROb49SRjGiNx+2EC5fPnIh06et4mwFwiGMmeNphow9hgYBp9dPcYLWVQDf20JPicOWObuhtFptXfufLoj7QqmB7xmMwRDTxABcCxT2yQ2CXTzF8smD63fOo6c14oeXBZmtbXRYSBBoSqjUe/SN0OQGMsgYdTxdtIw/ZhfmiEIZwkCXJxjuNNC2WRKr7W+4adt/VEcjXAlnHwpNionb5+DLnipRGL6Bpt7mLn2bxd3bsRLnLE57BaJa6b063uKrjl5cjWmPO/Xelgwe7CsgaXaME0lMXVwwBdwKYPYnOXf6pHEa1z9ZRGQBKlFEOe9S2bMJ1s1l6fPp+FDpB9+3V014NhZ+z3vtgCVMpxrvaiynYiiWBL3+sbkEyj6ghRjZJjuELoW47c1PqWHAbdaMgCyXlVVNM6rNjfyyrH/8IWiJ5uCwbqJXkr7650JWVU5KuktHG/Iv/GsBMV",
            "certificate_chain": [
                {
                    "__base64__": "MIIFbDCCA9SgAwIBAgIBVDANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjA1MjcwODMzMDBaFw0yNDA1MjcwODMzMDBaME0xEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2lwYXRlc3QxHjAcBgNVBAMMFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOLefXtQ5j3Fcbsuyl/ic92n/ORqbWGuWQLMwy4JVBcAAe3aIUePCpiLM89chY8aIzRToN6a4cOirztthjykUoIeFEFveLVvOQQSHoNR/J/2RDFq+oI0ag3tmrDa94vSAhE8O9BeO9ooISr3PQKqa9CfHQ19urC14FMrRAufRaHzE3RH3EvWH6swVWFp1hB1f4Vhb8QzEZavqwax8yFsM0xUzQy/sACdwlgS/j9Gagx+oH/rt1JLDi3vNz0kh2vb+t6MLJPDcf0zs6jN7KsrDna5PE7C+VQo1k/SfJMNnqJDYq0MAaXk7BxNqSEDi08JNSU832dRaRbsA+9bqCkUvvnjl+/RzdPM+DOFdfAAViKuwj3MX+DlloimtqH1+TrG3YtbJa+rZcyNEzw4rmdIpTf4igMB60wdBHPZiE3CH76XsOPK0qn1qrNbSH3sySvegRwNBUiPSc6a3ldgolTMoJLZGTFAM9LNQxQMlcTnF148OPBYKQpmooU7gke3TRkHQQIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vaXBhLWNhLmlwYXRlc3QucXEvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwaqAyoDCGLmh0dHA6Ly9pcGEtY2EuaXBhdGVzdC5xcS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCUcrfBNP1vE+TYEyv+yYTOwvptIMCAGA1UdEQQZMBeCFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTANBgkqhkiG9w0BAQsFAAOCAYEADXLR61OfjXWaCbQY13E6ENPVqcUuUUP9ug7sEsNe3JYeXqVjxKoLROb49SRjGiNx+2EC5fPnIh06et4mwFwiGMmeNphow9hgYBp9dPcYLWVQDf20JPicOWObuhtFptXfufLoj7QqmB7xmMwRDTxABcCxT2yQ2CXTzF8smD63fOo6c14oeXBZmtbXRYSBBoSqjUe/SN0OQGMsgYdTxdtIw/ZhfmiEIZwkCXJxjuNNC2WRKr7W+4adt/VEcjXAlnHwpNionb5+DLnipRGL6Bpt7mLn2bxd3bsRLnLE57BaJa6b063uKrjl5cjWmPO/Xelgwe7CsgaXaME0lMXVwwBdwKYPYnOXf6pHEa1z9ZRGQBKlFEOe9S2bMJ1s1l6fPp+FDpB9+3V014NhZ+z3vtgCVMpxrvaiynYiiWBL3+sbkEyj6ghRjZJjuELoW47c1PqWHAbdaMgCyXlVVNM6rNjfyyrH/8IWiJ5uCwbqJXkr7650JWVU5KuktHG/Iv/GsBMV"
                },
                {
                    "__base64__": "MIIEzjCCAzagAwIBAgIBATANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTExMTkyMDE1NDNaFw00MTExMTkyMDE1NDNaMFgxEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxKTAnBgNVBAMMIGV4YW1wbGUucXEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA2zzbzZdyl5ShmTaDbqQxHWohqnPV23QoGz+o+fHapnVbQCJahAqrSYtQSmVRbjzfzM8pGTyRyNjOby7/s72QzO6J0QicHeD1TanxW1JnH+9lCj2zZiM5K/6WNC54LV/bC299fimb3naZlgXClZaFRbOe/6Z8k5szoN4Fofwe5bdEntukDR9/tYUaNXokYX3omj1HzanAQjbdHIaTHLDtByvV+3e6prWnx+dQ/iWNQ69TCeWHgQJ1dgoChP8lX66HHRB7lR1OStPUWERFJVfdMxmlcwO1U3h5+aM1P123KpqMH7xPQrzfkWAYBrnhhvw7ICvQpIKfVswutyhGAWp5Xh4WssJEEbGt5n9tILuLFZkkS3cueNIeKecGCoUTnOfnNZ1Ey9QDoP+B4RL8ESDxCleEvlYNDfHLPKVDLpLl/0FZTSpHt0f2pPz5rErm09grD/X47ywUKXA3dZU2DQVZg9kXBYaPuk6/iOkGh+De5m1pv+bj5xl0owMXRE8Rh32BAgMBAAGjgaIwgZ8wHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFEG0eSLqxkjN+7rWXcaXeT0xDlZDMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lwYS1jYS5pcGF0ZXN0LnFxL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggGBANnd4YUGZIqUNBdvjmE/ojDqpKiD3L8+3YX0A/ca4KSuIm9sD0LUhhsAoIC23sNx5TkU8OFGCjQhqhR22bgkCzMMeWcsaqr0x1t6WWyEMnQnlm6wd3ptHh16lR1Q8gbWNhekELjtaatiOmlWwpSsqDFCKmSBQR/ReDQ4c49JNW4wgK5AbxfOyzvWfk0vFQ76KdOoXNXqeAHBgwwHTKbr+3qOqjwF9C3LUNXZWaUwzAp+zghuID/8rit5V9gliCFh7YwpOxAvUNcC2McQxlNBlGsrgVkmcP6H7SxuACpIEy1ba/RgWhBpmT6Pr1SOs3d47EO2uKNOrnyJKcpXpSCYRxGL75TjgCs3FcaxMIoN3a1RtnG3vPzOTm1QV2uCOxW0Gb7sIkK9/ZFx4x4cfrIiuRuSwE2f1vrAKpg6b6CrTs7PaTTkmJM6JkygU4izqhvC/s889z5P+zD4p6oijs8zvoJKhFpqxOYZhzQnYIsK6DlhaNT0SKfGlgf98DWejKBmkA=="
                }
            ],
            "issuer": "CN=example.qq Certificate Authority,DC=example,DC=qq",
            "request_id": 179,
            "san_dnsname": [
                {
                    "__dns_name__": "issuerdemo.example.qq"
                }
            ],
            "serial_number": 84,
            "serial_number_hex": "0x54",
            "subject": "CN=issuerdemo.example.qq,DC=ipatest,DC=qq",
            "valid_not_after": "Mon May 27 08:33:00 2024 UTC",
            "valid_not_before": "Fri May 27 08:33:00 2022 UTC"
        },
        "summary": null,
        "value": 179
    },
    "version": "4.9.8"
}
  Issuing CA: ipa
  Certificate: MIIFbDCCA9SgAwIBAgIBVDANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjA1MjcwODMzMDBaFw0yNDA1MjcwODMzMDBaME0xEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2lwYXRlc3QxHjAcBgNVBAMMFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOLefXtQ5j3Fcbsuyl/ic92n/ORqbWGuWQLMwy4JVBcAAe3aIUePCpiLM89chY8aIzRToN6a4cOirztthjykUoIeFEFveLVvOQQSHoNR/J/2RDFq+oI0ag3tmrDa94vSAhE8O9BeO9ooISr3PQKqa9CfHQ19urC14FMrRAufRaHzE3RH3EvWH6swVWFp1hB1f4Vhb8QzEZavqwax8yFsM0xUzQy/sACdwlgS/j9Gagx+oH/rt1JLDi3vNz0kh2vb+t6MLJPDcf0zs6jN7KsrDna5PE7C+VQo1k/SfJMNnqJDYq0MAaXk7BxNqSEDi08JNSU832dRaRbsA+9bqCkUvvnjl+/RzdPM+DOFdfAAViKuwj3MX+DlloimtqH1+TrG3YtbJa+rZcyNEzw4rmdIpTf4igMB60wdBHPZiE3CH76XsOPK0qn1qrNbSH3sySvegRwNBUiPSc6a3ldgolTMoJLZGTFAM9LNQxQMlcTnF148OPBYKQpmooU7gke3TRkHQQIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vaXBhLWNhLmlwYXRlc3QucXEvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwaqAyoDCGLmh0dHA6Ly9pcGEtY2EuaXBhdGVzdC5xcS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCUcrfBNP1vE+TYEyv+yYTOwvptIMCAGA1UdEQQZMBeCFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTANBgkqhkiG9w0BAQsFAAOCAYEADXLR61OfjXWaCbQY13E6ENPVqcUuUUP9ug7sEsNe3JYeXqVjxKoLROb49SRjGiNx+2EC5fPnIh06et4mwFwiGMmeNphow9hgYBp9dPcYLWVQDf20JPicOWObuhtFptXfufLoj7QqmB7xmMwRDTxABcCxT2yQ2CXTzF8smD63fOo6c14oeXBZmtbXRYSBBoSqjUe/SN0OQGMsgYdTxdtIw/ZhfmiEIZwkCXJxjuNNC2WRKr7W+4adt/VEcjXAlnHwpNionb5+DLnipRGL6Bpt7mLn2bxd3bsRLnLE57BaJa6b063uKrjl5cjWmPO/Xelgwe7CsgaXaME0lMXVwwBdwKYPYnOXf6pHEa1z9ZRGQBKlFEOe9S2bMJ1s1l6fPp+FDpB9+3V014NhZ+z3vtgCVMpxrvaiynYiiWBL3+sbkEyj6ghRjZJjuELoW47c1PqWHAbdaMgCyXlVVNM6rNjfyyrH/8IWiJ5uCwbqJXkr7650JWVU5KuktHG/Iv/GsBMV
  Certificate chain: MIIFbDCCA9SgAwIBAgIBVDANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjA1MjcwODMzMDBaFw0yNDA1MjcwODMzMDBaME0xEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2lwYXRlc3QxHjAcBgNVBAMMFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOLefXtQ5j3Fcbsuyl/ic92n/ORqbWGuWQLMwy4JVBcAAe3aIUePCpiLM89chY8aIzRToN6a4cOirztthjykUoIeFEFveLVvOQQSHoNR/J/2RDFq+oI0ag3tmrDa94vSAhE8O9BeO9ooISr3PQKqa9CfHQ19urC14FMrRAufRaHzE3RH3EvWH6swVWFp1hB1f4Vhb8QzEZavqwax8yFsM0xUzQy/sACdwlgS/j9Gagx+oH/rt1JLDi3vNz0kh2vb+t6MLJPDcf0zs6jN7KsrDna5PE7C+VQo1k/SfJMNnqJDYq0MAaXk7BxNqSEDi08JNSU832dRaRbsA+9bqCkUvvnjl+/RzdPM+DOFdfAAViKuwj3MX+DlloimtqH1+TrG3YtbJa+rZcyNEzw4rmdIpTf4igMB60wdBHPZiE3CH76XsOPK0qn1qrNbSH3sySvegRwNBUiPSc6a3ldgolTMoJLZGTFAM9LNQxQMlcTnF148OPBYKQpmooU7gke3TRkHQQIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vaXBhLWNhLmlwYXRlc3QucXEvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwaqAyoDCGLmh0dHA6Ly9pcGEtY2EuaXBhdGVzdC5xcS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCUcrfBNP1vE+TYEyv+yYTOwvptIMCAGA1UdEQQZMBeCFWlzc3VlcmRlbW8uZXhhbXBsZS5xcTANBgkqhkiG9w0BAQsFAAOCAYEADXLR61OfjXWaCbQY13E6ENPVqcUuUUP9ug7sEsNe3JYeXqVjxKoLROb49SRjGiNx+2EC5fPnIh06et4mwFwiGMmeNphow9hgYBp9dPcYLWVQDf20JPicOWObuhtFptXfufLoj7QqmB7xmMwRDTxABcCxT2yQ2CXTzF8smD63fOo6c14oeXBZmtbXRYSBBoSqjUe/SN0OQGMsgYdTxdtIw/ZhfmiEIZwkCXJxjuNNC2WRKr7W+4adt/VEcjXAlnHwpNionb5+DLnipRGL6Bpt7mLn2bxd3bsRLnLE57BaJa6b063uKrjl5cjWmPO/Xelgwe7CsgaXaME0lMXVwwBdwKYPYnOXf6pHEa1z9ZRGQBKlFEOe9S2bMJ1s1l6fPp+FDpB9+3V014NhZ+z3vtgCVMpxrvaiynYiiWBL3+sbkEyj6ghRjZJjuELoW47c1PqWHAbdaMgCyXlVVNM6rNjfyyrH/8IWiJ5uCwbqJXkr7650JWVU5KuktHG/Iv/GsBMV,
                     MIIEzjCCAzagAwIBAgIBATANBgkqhkiG9w0BAQsFADBYMRIwEAYKCZImiZPyLGQBGRYCcXExFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMSkwJwYDVQQDDCBleGFtcGxlLnFxIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTExMTkyMDE1NDNaFw00MTExMTkyMDE1NDNaMFgxEjAQBgoJkiaJk/IsZAEZFgJxcTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxKTAnBgNVBAMMIGV4YW1wbGUucXEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA2zzbzZdyl5ShmTaDbqQxHWohqnPV23QoGz+o+fHapnVbQCJahAqrSYtQSmVRbjzfzM8pGTyRyNjOby7/s72QzO6J0QicHeD1TanxW1JnH+9lCj2zZiM5K/6WNC54LV/bC299fimb3naZlgXClZaFRbOe/6Z8k5szoN4Fofwe5bdEntukDR9/tYUaNXokYX3omj1HzanAQjbdHIaTHLDtByvV+3e6prWnx+dQ/iWNQ69TCeWHgQJ1dgoChP8lX66HHRB7lR1OStPUWERFJVfdMxmlcwO1U3h5+aM1P123KpqMH7xPQrzfkWAYBrnhhvw7ICvQpIKfVswutyhGAWp5Xh4WssJEEbGt5n9tILuLFZkkS3cueNIeKecGCoUTnOfnNZ1Ey9QDoP+B4RL8ESDxCleEvlYNDfHLPKVDLpLl/0FZTSpHt0f2pPz5rErm09grD/X47ywUKXA3dZU2DQVZg9kXBYaPuk6/iOkGh+De5m1pv+bj5xl0owMXRE8Rh32BAgMBAAGjgaIwgZ8wHwYDVR0jBBgwFoAUQbR5IurGSM37utZdxpd5PTEOVkMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFEG0eSLqxkjN+7rWXcaXeT0xDlZDMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lwYS1jYS5pcGF0ZXN0LnFxL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggGBANnd4YUGZIqUNBdvjmE/ojDqpKiD3L8+3YX0A/ca4KSuIm9sD0LUhhsAoIC23sNx5TkU8OFGCjQhqhR22bgkCzMMeWcsaqr0x1t6WWyEMnQnlm6wd3ptHh16lR1Q8gbWNhekELjtaatiOmlWwpSsqDFCKmSBQR/ReDQ4c49JNW4wgK5AbxfOyzvWfk0vFQ76KdOoXNXqeAHBgwwHTKbr+3qOqjwF9C3LUNXZWaUwzAp+zghuID/8rit5V9gliCFh7YwpOxAvUNcC2McQxlNBlGsrgVkmcP6H7SxuACpIEy1ba/RgWhBpmT6Pr1SOs3d47EO2uKNOrnyJKcpXpSCYRxGL75TjgCs3FcaxMIoN3a1RtnG3vPzOTm1QV2uCOxW0Gb7sIkK9/ZFx4x4cfrIiuRuSwE2f1vrAKpg6b6CrTs7PaTTkmJM6JkygU4izqhvC/s889z5P+zD4p6oijs8zvoJKhFpqxOYZhzQnYIsK6DlhaNT0SKfGlgf98DWejKBmkA==
  Subject: CN=issuerdemo.example.qq,DC=ipatest,DC=qq
  Subject DNS name: issuerdemo.example.qq
  Issuer: CN=example.qq Certificate Authority,DC=example,DC=qq
  Not Before: Fri May 27 08:33:00 2022 UTC
  Not After: Mon May 27 08:33:00 2024 UTC
  Serial number: 84
  Serial number (hex): 0x54

I would guess that go-freeipa does not expect result's .result.certificate_chain to be in this format: a list of objects, each of which has a key of __base64__ & and the base64-encoded DER representation of the certificate data as the corresponding value.

[riton]

Thanks for this. I'll try to reproduce on our test instance and issue a fix asap

[socza]

Thanks for this. I'll try to reproduce on our test instance and issue a fix asap

Hi @riton, have you done something about this topic?

[riton]

Not yet. Didn't find the time to dig into this.

Feel free to open a Pull Request if you have a working patch.