hpilo_ca Certificate Signing Request output is mangled, preventing signing

[rryder]

Hi,

I'm trying to use hpilo_ca to sign ilo2 fw2.07 certs. My CA is setup and working fine from the command line. When using hpilo_ca I get this error:

(3/5) Signing certificate
Using configuration from /path/to/openssl.cnf
Error reading certificate request in /path/to/CA/certs/usorla7lp201x.csr
140222387644232:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:797:

When I examine the csr file retrieved, the formatting is off at the end, making it invalid.

-----BEGIN CERTIFICATE REQUEST-----
MIIB+zCCAWQCAQAwgZQxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4G
[ snip ]
2fpqDfsUAg+HtTRloC+/nco+jFtBG0PYvDirxR9PSLvcIy71SGIThu+32QH1A2Rn
RKnwhzFJ2ms4hnRrjzAHJAyr1fEPMpmq0j9VBXeNmA="="-----END CERTIFICATE REQUEST-----

Signing it manually with openssl fails with the same error as above. Fixing the formatting manually, I'm able to sign it with openssl.

Using HP's sample ILO scripts the CSR is returned from the ILO formatted properly, so I don't think the problem is coming from the ILO. I'm using python-2.6.6-29.el6.x86_64

Thanks for any help.

[seveas]

Hi rryder,

Could you run hpilo_ca with the --debug option, redirecting all traffic to a file and then mail me that file (shouldn't contain sensitive information, but please do check before sending). I'd like to see with a hexeditor what the iLO is sending back.

[rryder]

E-mail sent with attachement, ran it with -d -d to get the debugging output requested.

[seveas]

I've found the bug, it's an unintended sideeffect of a workaround against an iLO bug in some firmware versions that causes unquoted XML tag attributes. My tests didn't see this as your csr needs more padding than mine, so it has == at the end of the base64 encoded data while mine has a single =.

[rryder]

Works great. Thanks for the quick fix!