Bug 1858318
| Summary: | AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' when upgrading ca-less ipa master | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | frenaud, ftrivino, ksiddiqu, lmiksik, pcech, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.7-8.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:51:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This seems to be due to differing releases of python3 between upstream (3.7.x) and RHEL 8.3.0 (3.6.8). In python 3.6.8 it raises ssl.CertificateError which is an alias for SSLCertVerificationError in 3.7+. I think we can safely change this to ssl.CertificateError at least in the ipa-4-8 branch. Fixed upstream master: https://pagure.io/freeipa/c/5dd566951198c3bcf0e5860deea4e76a9b8a6dc0 Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 version:
ipa-server-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
api.env:
{'api_version': '2.239',
'basedn': ipapython.dn.DN('dc=ipa,dc=test'),
'bin': '/usr/lib/python3.6/site-packages/ipatests',
'ca_agent_install_port': None,
'ca_agent_port': 443,
'ca_ee_install_port': None,
'ca_ee_port': 443,
'ca_host': 'runner.testrelm.test',
'ca_install_port': None,
'ca_port': 80,
'certmonger_wait_timeout': 300,
'conf': '/root/.ipa/cli.conf',
'conf_default': '/root/.ipa/default.conf',
'confdir': '/root/.ipa',
'container_accounts': ipapython.dn.DN('cn=accounts'),
'container_adtrusts': ipapython.dn.DN('cn=ad,cn=trusts'),
'container_applications': ipapython.dn.DN('cn=applications,cn=configs,cn=policies'),
'container_automember': ipapython.dn.DN('cn=automember,cn=etc'),
'container_automount': ipapython.dn.DN('cn=automount'),
'container_ca': ipapython.dn.DN('cn=cas,cn=ca'),
'container_ca_renewal': ipapython.dn.DN('cn=ca_renewal,cn=ipa,cn=etc'),
'container_caacl': ipapython.dn.DN('cn=caacls,cn=ca'),
'container_certmap': ipapython.dn.DN('cn=certmap'),
'container_certmaprules': ipapython.dn.DN('cn=certmaprules,cn=certmap'),
'container_certprofile': ipapython.dn.DN('cn=certprofiles,cn=ca'),
'container_cifsdomains': ipapython.dn.DN('cn=ad,cn=etc'),
'container_configs': ipapython.dn.DN('cn=configs,cn=policies'),
'container_custodia': ipapython.dn.DN('cn=custodia,cn=ipa,cn=etc'),
'container_deleteuser': ipapython.dn.DN('cn=deleted users,cn=accounts,cn=provisioning'),
'container_dna': ipapython.dn.DN('cn=dna,cn=ipa,cn=etc'),
'container_dna_posix_ids': ipapython.dn.DN('cn=posix-ids,cn=dna,cn=ipa,cn=etc'),
'container_dns': ipapython.dn.DN('cn=dns'),
'container_dnsservers': ipapython.dn.DN('cn=servers,cn=dns'),
'container_group': ipapython.dn.DN('cn=groups,cn=accounts'),
'container_hbac': ipapython.dn.DN('cn=hbac'),
'container_hbacservice': ipapython.dn.DN('cn=hbacservices,cn=hbac'),
'container_hbacservicegroup': ipapython.dn.DN('cn=hbacservicegroups,cn=hbac'),
'container_host': ipapython.dn.DN('cn=computers,cn=accounts'),
'container_hostgroup': ipapython.dn.DN('cn=hostgroups,cn=accounts'),
'container_locations': ipapython.dn.DN('cn=locations,cn=etc'),
'container_masters': ipapython.dn.DN('cn=masters,cn=ipa,cn=etc'),
'container_netgroup': ipapython.dn.DN('cn=ng,cn=alt'),
'container_otp': ipapython.dn.DN('cn=otp'),
'container_permission': ipapython.dn.DN('cn=permissions,cn=pbac'),
'container_policies': ipapython.dn.DN('cn=policies'),
'container_policygroups': ipapython.dn.DN('cn=policygroups,cn=configs,cn=policies'),
'container_policylinks': ipapython.dn.DN('cn=policylinks,cn=configs,cn=policies'),
'container_privilege': ipapython.dn.DN('cn=privileges,cn=pbac'),
'container_radiusproxy': ipapython.dn.DN('cn=radiusproxy'),
'container_ranges': ipapython.dn.DN('cn=ranges,cn=etc'),
'container_realm_domains': ipapython.dn.DN('cn=Realm Domains,cn=ipa,cn=etc'),
'container_rolegroup': ipapython.dn.DN('cn=roles,cn=accounts'),
'container_roles': ipapython.dn.DN('cn=roles,cn=policies'),
'container_s4u2proxy': ipapython.dn.DN('cn=s4u2proxy,cn=etc'),
'container_selinux': ipapython.dn.DN('cn=usermap,cn=selinux'),
'container_service': ipapython.dn.DN('cn=services,cn=accounts'),
'container_stageuser': ipapython.dn.DN('cn=staged users,cn=accounts,cn=provisioning'),
'container_sudocmd': ipapython.dn.DN('cn=sudocmds,cn=sudo'),
'container_sudocmdgroup': ipapython.dn.DN('cn=sudocmdgroups,cn=sudo'),
'container_sudorule': ipapython.dn.DN('cn=sudorules,cn=sudo'),
'container_sysaccounts': ipapython.dn.DN('cn=sysaccounts,cn=etc'),
'container_topology': ipapython.dn.DN('cn=topology,cn=ipa,cn=etc'),
'container_trusts': ipapython.dn.DN('cn=trusts'),
'container_user': ipapython.dn.DN('cn=users,cn=accounts'),
'container_vault': ipapython.dn.DN('cn=vaults,cn=kra'),
'container_views': ipapython.dn.DN('cn=views,cn=accounts'),
'container_virtual': ipapython.dn.DN('cn=virtual operations,cn=etc'),
'context': 'cli',
'debug': False,
'delegate': False,
'dogtag_version': 9,
'domain': 'ipa.test',
'dot_ipa': '/root/.ipa',
'enable_ra': False,
'env_confdir': None,
'fallback': False,
'fips_mode': False,
'force_schema_check': False,
'home': '/root',
'host': 'runner.testrelm.test',
'http_timeout': 30,
'in_server': False,
'in_tree': True,
'interactive': True,
'ipalib': '/usr/lib/python3.6/site-packages/ipalib',
'jsonrpc_uri': 'https://master.ipa.test/ipa/json',
'kinit_lifetime': None,
'ldap_uri': 'ldap://master.ipa.test',
'log': '/root/.ipa/log/cli.log',
'logdir': '/root/.ipa/log',
'mode': 'developer',
'mount_ipa': '/ipa/',
'nss_dir': '/root/.ipa/nssdb',
'plugins_on_demand': True,
'prompt_all': False,
'ra_plugin': 'selfsign',
'recommended_max_agmts': 4,
'replication_wait_timeout': 300,
'rpc_protocol': 'jsonrpc',
'script': '/usr/lib/python3.6/site-packages/ipatests/-c',
'server': 'master.ipa.test',
'site_packages': '/usr/lib/python3.6/site-packages',
'skip_version_check': False,
'startup_timeout': 120,
'startup_traceback': False,
'tls_ca_cert': '/root/.ipa/ca.crt',
'tls_version_max': None,
'tls_version_min': None,
'validate_api': False,
'verbose': 0,
'version': '4.8.7',
'wait_for_dns': 0,
'webui_prod': True,
'xmlrpc_uri': 'https://master.ipa.test/ipa/xml'}
uname: posix.uname_result(sysname='Linux', nodename='runner.testrelm.test', release='4.18.0-229.el8.x86_64', version='#1 SMP Thu Jul 30 16:19:22 UTC 2020', machine='x86_64')
euid: 0, egid: 0
working dir: /usr/lib/python3.6/site-packages/ipatests
sys.version: 3.6.8 (default, Jun 26 2020, 12:10:09)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.9.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-229.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.10.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.10.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 7 items
test_integration/test_caless.py::TestIPACommands::test_service_mod_doesnt_revoke PASSED [ 14%]
test_integration/test_caless.py::TestIPACommands::test_service_disable_doesnt_revoke PASSED [ 28%]
test_integration/test_caless.py::TestIPACommands::test_service_del_doesnt_revoke PASSED [ 42%]
test_integration/test_caless.py::TestIPACommands::test_host_mod_doesnt_revoke PASSED [ 57%]
test_integration/test_caless.py::TestIPACommands::test_host_disable_doesnt_revoke PASSED [ 71%]
test_integration/test_caless.py::TestIPACommands::test_host_del_doesnt_revoke PASSED [ 85%]
test_integration/test_caless.py::TestIPACommands::test_invoke_upgrader PASSED [100%]
---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================== 7 passed in 257.28 seconds ==========================
test_integration/test_caless.py::TestIPACommands::test_invoke_upgrader passed. Hence marking the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4670 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' when upgrading ca-less ipa master Version-Release number of selected component (if applicable): ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64 How reproducible: always Steps to Reproduce: 1. Install ca-less master 2. ipa-server-upgrade Actual results: ipa-server-upgrade fail. [root@master ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [..] named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists [Upgrading CA schema] CA is not configured [Verifying that CA audit signing cert has 2 year validity] CA is not configured [Update certmonger certificate renewal configuration] CA is not configured [Enable PKIX certificate path discovery and validation] CA is not configured [Authorizing RA Agent to modify profiles] CA is not configured [Authorizing RA Agent to manage lightweight CAs] CA is not configured [Ensuring Lightweight CAs container exists in Dogtag database] CA is not configured [Adding default OCSP URI configuration] CA is not configured [Disabling cert publishing] CA is not configured [Ensuring CA is using LDAPProfileSubsystem] CA is not configured [Ensuring presence of included profiles] CA is not configured [Add default CA ACL] [Migrating to authselect profile] [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Setup SPAKE] [Setup PKINIT] [Enable server krb5.conf snippet] [Adding ipa-ca alias to HTTP certificate] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Expected results: ipa-server-upgrade success Additional info: /var/log/ipaupgrade.log 2020-07-17T13:24:20Z DEBUG Starting external process 2020-07-17T13:24:20Z DEBUG args=['/sbin/restorecon', '/etc/krb5.conf.d/freeipa-server'] 2020-07-17T13:24:21Z DEBUG Process finished, return code=0 2020-07-17T13:24:21Z DEBUG stdout= 2020-07-17T13:24:21Z DEBUG stderr= 2020-07-17T13:24:21Z INFO [Adding ipa-ca alias to HTTP certificate] 2020-07-17T13:24:21Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-07-17T13:24:21Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1805, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1717, in upgrade_configuration http_certificate_ensure_ipa_ca_dnsname(http) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 670, in http_certificate_ensure_ipa_ca_dnsname except ssl.SSLCertVerificationError: 2020-07-17T13:24:21Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' 2020-07-17T13:24:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' 2020-07-17T13:24:21Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information