Bug 2164348
Summary: | Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Chris Kelley <ckelley> | |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> | |
Status: | CLOSED ERRATA | QA Contact: | Mohammad Rizwan <myusuf> | |
Severity: | medium | Docs Contact: | ||
Priority: | urgent | |||
Version: | 8.3 | CC: | ademir.ladeira, amayberr, arajendr, bugzilla-pkiqe, cilmar, ckelley, frenaud, ftrivino, gkaihoro, msauton, myusuf, negativo17, rcritten, rjeffman, sumenon, tscherf | |
Target Milestone: | beta | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.9.12-2.module+el8.9.0+18921+013c0de2 | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1959057 | |||
: | 2192625 (view as bug list) | Environment: | ||
Last Closed: | 2023-11-14 15:32:50 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1959057 | |||
Bug Blocks: | 2164347, 2192625 |
Comment 2
Florence Blanc-Renaud
2023-02-02 16:53:46 UTC
flo do you remember how you reproduced this? (In reply to Rob Crittenden from comment #3) > flo do you remember how you reproduced this? Yes, I defined a sizelimit for uid=pkidbuser. The trick is to pick something big enough that allows pki to start (pkidbuser is performing searches for the certificate profiles for instance, and there are ~90 entries, so I picked nsSizeLimit= 100). # ldapmodify -D cn=directory\ manager -w Secret123 dn: uid=pkidbuser,ou=people,o=ipaca changetype: modify add: nssizelimit nssizelimit: 100 # ipactl restart (restart pki is needed to re-establish a new connection between pki and 389ds and take into account the new sizelimit for uid=pkidbuser) # ipa cert-find (if there are < 100 certificates, should succeed) Create enough certificates to reach the limit # ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) The logs in /var/log/pki/pki-tomcat/ca/debug.$DATE.log show all the certs returned up to 100 and then the failure: 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Searching for certificates 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: PKIService: Request class: CertSearchRequest 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: PKIService: Request format: application/xml 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: PKIService: XML request: <?xml version='1.0' encoding='UTF-8'?> <CertSearchRequest><serialNumberRangeInUse>true</serialNumberRangeInUse><subjectInUse>false</subjectInUse><matchExactly>false</matchExactly><revokedByInUse>false</revokedByInUse><revokedOnInUse>false</revokedOnInUse><revocationReasonInUse>false</revocationReasonInUse><issuedByInUse>false</issuedByInUse><issuedOnInUse>false</issuedOnInUse><validNotBeforeInUse>false</validNotBeforeInUse><validNotAfterInUse>false</validNotAfterInUse><validityLengthInUse>false</validityLengthInUse><certTypeInUse>false</certTypeInUse></CertSearchRequest> 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Search filter: (certstatus=*) 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: filter: (certStatus=*) 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: dn: cn=101,ou=certificateRepository,ou=ca,o=ipaca 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Search results: 101 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: filter: (certStatus=*) 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca ... 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: DBVirtualList: dn: cn=100,ou=certificateRepository,ou=ca,o=ipaca 2023-04-25 06:51:31 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] SEVERE: Operation Error - class netscape.ldap.LDAPException cannot be cast to class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and netscape.ldap.LDAPEntry are in unnamed module of loader java.net.URLClassLoader @5e8c92f4) java.lang.ClassCastException: class netscape.ldap.LDAPException cannot be cast to class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and netscape.ldap.LDAPEntry are in unnamed module of loader java.net.URLClassLoader @5e8c92f4) The new message will be (proposed): ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) We get no indication of the reason for the search failure. I suppose this is message is better in that it doesn't imply that the CA is not available at all. Fixed upstream master: https://pagure.io/freeipa/c/9e80616401fe878f4db9dcd5b6188c0b2039db53 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/b9b268e5ed497400b3525b0eec95e2ae4f039526 Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/81a6b9ad2d42fecdd94e17fa7c888bbdea2daf3c version: ipa-server-4.9.12-2.module+el8.9.0+18921+013c0de2.x86_64 Steps: https://bugzilla.redhat.com/show_bug.cgi?id=2164348#c4 Actual result: when number of cert > nssizelimit [root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123 dn: uid=pkidbuser,ou=people,o=ipaca changetype: modify add: nssizelimit nssizelimit: 100 modifying entry "uid=pkidbuser,ou=people,o=ipaca" ^C [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) [root@master ~]# [root@master ~]# when number of cert < nssizelimit: [root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123 dn: uid=pkidbuser,ou=people,o=ipaca changetype: modify replace: nssizelimit nssizelimit: 200 modifying entry "uid=pkidbuser,ou=people,o=ipaca" ^C [root@master ~]# [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# [root@master ~]# [root@master ~]# ipa cert-find ------------------------ 100 certificates matched ------------------------ [..] Issuing CA: ipa Subject: CN=tuser90,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Thu Jun 08 07:13:13 2023 UTC Not After: Sun Jun 08 07:13:13 2025 UTC Serial number: 100 Serial number (hex): 0x64 Status: VALID Revoked: False ------------------------------ Number of entries returned 100 ------------------------------ [root@master ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6977 |