http/500 when requesting certificate

[jacekjaros]

i see following error when try to request certificate:

Jan 11 10:07:50 CA python3[14324]: can't compare offset-naive and offset-aware datetimes
Jan 11 10:07:50 CA python3[14324]: Traceback (most recent call last):
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/acme/views.py", line 255, in dispatch
Jan 11 10:07:50 CA python3[14324]:     response = super().dispatch(request, serial=serial, slug=slug)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django/views/generic/base.py", line 101, in dispatch
Jan 11 10:07:50 CA python3[14324]:     return handler(request, *args, **kwargs)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/acme/views.py", line 357, in post
Jan 11 10:07:50 CA python3[14324]:     return self.process_acme_request(slug=slug)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/acme/views.py", line 404, in process_acme_request
Jan 11 10:07:50 CA python3[14324]:     return self.acme_request(message, slug)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/acme/views.py", line 824, in acme_request
Jan 11 10:07:50 CA python3[14324]:     transaction.on_commit(lambda: run_task(acme_issue_certificate, acme_certificate_pk=cert.pk))
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django/db/transaction.py", line 128, in on_commit
Jan 11 10:07:50 CA python3[14324]:     get_connection(using).on_commit(func)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django/db/backends/base/base.py", line 656, in on_commit
Jan 11 10:07:50 CA python3[14324]:     func()
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/acme/views.py", line 824, in <lambda>
Jan 11 10:07:50 CA python3[14324]:     transaction.on_commit(lambda: run_task(acme_issue_certificate, acme_certificate_pk=cert.pk))
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/tasks.py", line 78, in run_task
Jan 11 10:07:50 CA python3[14324]:     return task(*args, **kwargs)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/python/current/lib/python3.9/contextlib.py", line 79, in inner
Jan 11 10:07:50 CA python3[14324]:     return func(*args, **kwds)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/tasks.py", line 290, in acme_issue_certificate
Jan 11 10:07:50 CA python3[14324]:     cert = Certificate.objects.create_cert(
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/managers.py", line 615, in create_cert
Jan 11 10:07:50 CA python3[14324]:     cert = profile.create_cert(ca, csr, **kwargs)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/profiles.py", line 338, in create_cert
Jan 11 10:07:50 CA python3[14324]:     builder = get_cert_builder(expires)
Jan 11 10:07:50 CA python3[14324]:   File "/opt/CA/lib/python3.9/site-packages/django_ca/utils.py", line 1129, in get_cert_builder
Jan 11 10:07:50 CA python3[14324]:     if expires <= now:
Jan 11 10:07:50 CA python3[14324]: TypeError: can't compare offset-naive and offset-aware datetimes
Jan 11 10:07:50 CA python3[14324]: Internal Server Error: /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/LtuKCRJm96Qg/finalize/
Jan 11 10:07:50 CA python3[14324]: [11/Jan/2022 10:07:50] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/LtuKCRJm96Qg/finalize/ HTTP/1.1" 500 103

cert request:

root@cache:~# certbot certonly --standalone --server http://ca.dmz:8000/django_ca/acme/directory/ -d 'cache.dmz'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cache.dmz
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
The server experienced an internal error :: Internal server error
Please see the logfiles in /var/log/letsencrypt for more details.

root@cache:~# less /var/log/letsencrypt/letsencrypt.log
---
2022-01-11 10:07:50,835:DEBUG:urllib3.connectionpool:http://ca.dmz:8000 "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/LtuKCRJm96Qg/finalize/ HTTP/1.1" 500 103
2022-01-11 10:07:50,835:DEBUG:acme.client:Received response:
HTTP 500
Date: Tue, 11 Jan 2022 10:07:50 GMT
Server: WSGIServer/0.2 CPython/3.9.8
Content-Type: application/problem+json
replay-nonce: SLaKc6MVZ1KQHblQtfWm-SwdzEYaXwJ_7pa1eTD2vGs
X-Frame-Options: DENY
Content-Length: 103
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"type": "urn:ietf:params:acme:error:serverInternal", "status": 500, "detail": "Internal server error"}
2022-01-11 10:07:50,835:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 364, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 296, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 900, in finalize_order
    return self.client.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 748, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1171, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1184, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1042, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Internal server error
2022-01-11 10:07:50,836:ERROR:certbot.log:An unexpected error occurred:
2022-01-11 10:07:50,836:ERROR:certbot.log:The server experienced an internal error :: Internal server error

my setup:

root@cache:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal
root@cache:~# dpkg -l python3 python3-acme
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Architecture Description
+++-==============-==============-============-=========================================================================
ii  python3        3.8.2-0ubuntu2 amd64        interactive high-level object-oriented language (default python3 version)
ii  python3-acme   1.1.0-1        all          ACME protocol library for Python 3

root@CA:~# /opt/CA/bin/python3 --version
Python 3.9.8
root@CA:~# /opt/CA/bin/python3 -m pip list
Package               Version
--------------------- ---------
acme                  1.22.0
asgiref               3.4.1
asn1crypto            1.4.0
certifi               2021.10.8
cffi                  1.15.0
charset-normalizer    2.0.10
configparser          5.2.0
cryptography          36.0.1
Django                4.0.1
django-ca             1.19.1
django-object-actions 3.1.0
dnspython             2.1.0
idna                  3.3
josepy                1.11.0
packaging             21.3
pip                   21.3.1
psycopg2-binary       2.9.3
pycparser             2.21
pyOpenSSL             21.0.0
pyparsing             3.0.6
pyRFC3339             1.1
pytz                  2021.3
requests              2.27.1
requests-toolbelt     0.9.1
setuptools            60.5.0
six                   1.16.0
sqlparse              0.4.2
urllib3               1.26.8

[mathiasertl]

Thanks for your Bugreport! I can reproduce the issue and I'm working on a fix.

In the mean time, this patch also fixes the issue:

--- a/ca/django_ca/utils.py
+++ b/ca/django_ca/utils.py
@@ -50,6 +50,7 @@ from cryptography.x509.oid import NameOID
 
 from django.core.files.storage import get_storage_class
 from django.core.validators import URLValidator
+from django.utils import timezone as tz
 from django.utils.translation import gettext_lazy as _
 
 from . import ca_settings
@@ -1162,6 +1177,8 @@ def get_cert_builder(expires: datetime, serial: Optional[int] = None) -> x509.Ce
     if serial is None:
         serial = x509.random_serial_number()
 
+    if tz.is_aware(expires):
+        expires = tz.make_naive(expires)
     if expires <= now:
         raise ValueError("expires must be in the future")
 

[jacekjaros]

hi @mathiasertl

after applying patch my setup are working fine, thanks for quick response.

[mathiasertl]

hi @jacekjaros,

Fixed in c8ed135 (and forgot to mention that in the commit message). This will be in 1.20, for which I'm actually just finishing documentation updates.

kr, Mat

[noelmartinon]

Hello, need to be completed :
With django-ca 1.23.0, issue if 'USE_TZ = True' when signing cert. For example:

python manage.py sign_cert --ca=Intermediate --csr=example.csr --out=example.pem --client --alt=hello.example.org'''

File "/srv/venv/lib/python3.10/site-packages/django_ca/management/base.py", line 269, in test_options
    if ca.expires < expires:
TypeError: can't compare offset-naive and offset-aware datetimes

Resolved with:

--- a/ca/django_ca/management/base.py	2023-04-02 10:07:46.267345675 -0400
+++ b/ca/django_ca/management/base.py	2023-04-02 10:06:31.622540000 -0400
@@ -31,7 +31,7 @@
 from django_ca.management import actions, mixins
 from django_ca.models import CertificateAuthority
 from django_ca.profiles import Profile
-from django_ca.utils import NAME_OID_MAPPINGS
+from django_ca.utils import NAME_OID_MAPPINGS, make_naive
 
 
 class BinaryOutputWrapper(OutputWrapper):
@@ -265,6 +265,7 @@
         """Additional tests for validity of some options."""
 
         expires = profile.get_expires(expires)
+        ca.expires = make_naive(ca.expires)

 
         if ca.expires < expires:
             max_days = (ca.expires - timezone.now()).days

[mathiasertl]

@noelmartinon Thanks for the report, and I've re-opened the issue!

Please note that in general maintainers won't notice comments on closed issues, I spotted this by chance. It's usually better to open a new issue.

[mathiasertl]

@noelmartinon I believe the issue is fixed in the current main branch. You you cloned the source from git, you're welcome to try it out,otherwise the next release (mid May) will include the fix!

If you have further feedback, please feel free to comment!