Bug 103358

Summary: New repo backend design has unhandled exceptions
Product: [Retired] Red Hat Raw Hide Reporter: Paul Nasrat <nobody+pnasrat>
Component: up2dateAssignee: Adrian Likins <alikins>
Status: CLOSED RAWHIDE QA Contact: Fanny Augustin <fmoquete>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: gafton, mihai.ibanescu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-11-01 12:14:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to handle exception on import none

Description Paul Nasrat 2003-08-29 10:12:46 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703

Description of problem:
Whilst trying a routine up2date the certificate for xmlrpc.rhn.redhat.com was
not signed by RHNS-CA-CERT so an SSL Error was obtained.

...
SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
failed')]

essentially 

try:
    from up2date_client import repoDirector
...

in repoDirector there is a call in the header

                                                                               
channels = rhnChannel.getChannels()

which in turn calls login() which can return an SSL.Error from the xmlrpc backend.

This leaves a nasty python stacktrace.  As this is not in main() of wrapper.py
it isn't caught.
                                                                                


Version-Release number of selected component (if applicable):
up2date-3.9.15

How reproducible:
Always

Steps to Reproduce:
1. Replace RHNS-CA-CERT with a invalid one (or break it server side):
openssl genrsa -out server.key 1024
openssl req -new -x509 -days 365 -key server.key -out server.crt
openssl x509 -noout -text -in server.crt > RHNS-CA-CERT
2. replace cert or point up2date at invalid one
3.  run up2date -l
    

Actual Results:  Stack trace

Expected Results:  A nice error message should be printed
Comment 1 Paul Nasrat 2003-08-29 10:14:50 UTC 
Created attachment 94063 [details]
Patch to handle exception on import

This handles the exception at the outermost level of up2date.
Comment 2 Adrian Likins 2003-09-02 18:13:58 UTC 
Thanks for the patch. I think I fixed this by rearraging some
of the module imports so ssl errors dont happen when importing
repoDirector. The old ssl error catching code seems to work
with the new org.

3.9.19 should have it, if not 3.9.21 at least does.
Comment 3 Paul Nasrat 2003-11-01 12:14:23 UTC 
[root@enki rhn]# rpm -q up2date
up2date-4.1.14-2
[root@enki rhn]# grep CA up2date
sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHNS-CA-CERT.b0rk
[root@enki rhn]# up2date -l
There was an SSL error: []
A common cause of this error is the system time being incorrect.
Verify that the time on this system is correct.