Bug 2192625

Summary: Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: VERIFIED --- QA Contact: Mohammad Rizwan <myusuf>
Severity: medium Docs Contact:
Priority: urgent    
Version: 9.2CC: ademir.ladeira, amayberr, amore, arajendr, bugzilla-pkiqe, cilmar, ckelley, frenaud, ftrivino, ipa-qe, msauton, negativo17, rcritten, rjeffman, sumenon, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: frenaud: needinfo? (sumenon)
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.2-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2164348 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2164348, 1959057    
Bug Blocks: 2164347    

Comment 2 Florence Blanc-Renaud 2023-05-16 11:11:05 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9e80616401fe878f4db9dcd5b6188c0b2039db53
Comment 3 Florence Blanc-Renaud 2023-05-16 15:35:49 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/b9b268e5ed497400b3525b0eec95e2ae4f039526
Comment 4 Rob Crittenden 2023-05-16 20:24:48 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/81a6b9ad2d42fecdd94e17fa7c888bbdea2daf3c
Comment 10 Mohammad Rizwan 2023-06-26 12:20:18 UTC 
version:
ipa-server-4.10.2-1.el9.x86_64

Steps:
https://bugzilla.redhat.com/show_bug.cgi?id=2164348#c4

Actual result:

when number if cert is > nssizelimit

[root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
add: nssizelimit
nssizelimit: 100

modifying entry "uid=pkidbuser,ou=people,o=ipaca"


^C
[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)
[root@master ~]# 
[root@master ~]# 

when number of cert < nssizelimit

[root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: nssizelimit
nssizelimit: 200

modifying entry "uid=pkidbuser,ou=people,o=ipaca"

^C
[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# 
[root@master ~]# ipa cert-find
------------------------
100 certificates matched
------------------------


[..]

  Issuing CA: ipa
  Subject: CN=user88,O=TESTREALM.TEST
  Issuer: CN=Certificate Authority,O=TESTREALM.TEST
  Not Before: Mon Jun 26 11:32:56 2023 UTC
  Not After: Thu Jun 26 11:32:56 2025 UTC
  Serial number: 100
  Serial number (hex): 0x64
  Status: VALID
  Revoked: False
------------------------------
Number of entries returned 100
------------------------------
[root@master ~]#


Based on above observations, marking the bug verified.