Bug 1974226

Summary: Errors from certutil are not propagated
Product: Red Hat Directory Server Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 11.3CC: gkimetto, ldap-maint, mreynolds, sgouvern, vashirov
Target Milestone: ---   
Target Release: dirsrv-11.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: redhat-ds-11-8050020210917175916.d3df4063 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 06:36:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description thierry bordaz 2021-06-21 07:12:26 UTC 
Description of problem:
When an error occurs with certutil, stderr output from it is not printed:

[root@fedora ~]# dsctl localhost tls generate-server-cert-csr -s "bad" 
Error: Command '['/usr/bin/certutil', '-R', '--keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment', '--nsCertType', 'sslClient,sslServer', '--extKeyUsage', 'clientAuth,serverAuth', '-s', 'bad', '-8', 'fedora', '-g', '4096', '-d', '/etc/dirsrv/slapd-localhost', '-z', '/etc/dirsrv/slapd-localhost/noise.txt', '-f', '/etc/dirsrv/slapd-localhost/pwdfile.txt', '-a', '-o', '/etc/dirsrv/slapd-localhost/Server-Cert.csr']' returned non-zero exit status 255.

It just states that the exit status is 255, but no certutil output, which in this case is

certutil -s: improperly formatted name: "bad"

In lib389/nss_ssl.py we have many places with statements like this that show this behaviour:

        result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
        self.log.debug("nss output: %s", result)


Version-Release number of selected component (if applicable):
8.x

How reproducible:
systematic

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 mreynolds 2021-08-04 03:39:09 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/4736
Comment 2 Viktor Ashirov 2021-08-10 15:02:48 UTC 
Moving to ASSIGNED, because certutil gets called twice and asks for the password on instance creation: https://github.com/389ds/389-ds-base/issues/4736#issuecomment-896105921
Comment 3 mreynolds 2021-08-10 16:33:09 UTC 
Fixed upstream...
Comment 8 errata-xmlrpc 2021-10-25 06:36:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3955