Bug 1333755 - ipa cert-request causes internal server error while requesting certificate
Summary: ipa cert-request causes internal server error while requesting certificate
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords: Reopened
Depends On: 1334151
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-06 10:32 UTC by Abhijeet Kasurde
Modified: 2016-11-04 05:53 UTC (History)
4 users (show)

(edit)
Clone Of:
: 1334151 (view as bug list)
(edit)
Last Closed: 2016-11-04 05:53:47 UTC


Attachments (Terms of Use)
shell script to reproduce issue (1.04 KB, application/x-shellscript)
2016-05-06 10:32 UTC, Abhijeet Kasurde
no flags Details
httpd_error_log (11.86 KB, text/plain)
2016-05-06 10:33 UTC, Abhijeet Kasurde
no flags Details
certprofile configuration file used by shell script (6.49 KB, text/plain)
2016-05-06 10:33 UTC, Abhijeet Kasurde
no flags Details
console output with verification steps (2.82 KB, text/plain)
2016-09-20 10:26 UTC, Kaleem
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Abhijeet Kasurde 2016-05-06 10:32:45 UTC
Created attachment 1154546 [details]
shell script to reproduce issue

Description of problem:
While requesting user certificates for normal IPA user ipa cert-request causes internal server error.

Please see shell script attached for reproduction of issue.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.15.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Run shell script given in attachment

Actual results:
ipa cert-request throws an internal server error message.
 
See attachment for log 

Expected results:
Command should be successful.

Comment 1 Abhijeet Kasurde 2016-05-06 10:33 UTC
Created attachment 1154547 [details]
httpd_error_log

Comment 2 Abhijeet Kasurde 2016-05-06 10:33 UTC
Created attachment 1154548 [details]
certprofile configuration file used by shell script

Comment 3 Abhijeet Kasurde 2016-05-06 10:35:33 UTC
Steps to reproduce: 

1. Install IPA server 
2. Download Cert profile configuration file in local directory
3. Download and run given shell script in same local directory

Comment 5 Petr Vobornik 2016-05-06 15:48:39 UTC
Seems that either dogtag returns malformatted xml or not a xml and get_parse_result_xml doesn't catch and exception.

Comment 6 Petr Vobornik 2016-05-06 15:50:17 UTC
I did not investigate further, Fraser could you look at it?

Comment 7 Fraser Tweedale 2016-05-08 23:54:33 UTC
This line in the profile config:

  policyset.serverCertSet.1.default.params.name=userprofile

is the problem.  It must be a DN with placeholders for info read from CSR, e.g.

  policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST

Comment 8 Fraser Tweedale 2016-05-09 03:05:33 UTC
There are two other aspects to this:

- The bad configuration results in NPE in Dogtag, which is what causes
  the non-XML response.  I filed upstream ticket[1] and patch is imminent.

- The non-XML response could be handled better in FreeIPA.  It could have
  a fallback if the response cannot be parsed as XML.

[1] https://fedorahosted.org/pki/ticket/2317

Comment 9 Petr Vobornik 2016-05-10 13:59:21 UTC
Thi pki-core issue doesn't depend on the IPA, it's vice-versa.

Per ipa triage, I'm closing this bug, the IPA part, as won't fix. Reasoning: it is true that IPA code doesn't handle the non-xml response well, but the response happens only on dogtag internal error. Given that dogtag is part of IPA, reporting "internal server error" is in fact correct.

Comment 10 Abhijeet Kasurde 2016-05-10 14:14:03 UTC
I think rather than showing "internal server error" message to user, we should show informative message. 

Here is the patch on mailing list which provides a graceful error message to user - https://www.redhat.com/archives/freeipa-devel/2016-May/msg00166.html

Comment 11 Petr Vobornik 2016-05-10 14:25:29 UTC
IIUIC the pki-core fix will cause that properly formed XML error will be send from PKI to IPA and then IPA will show a graceful error message.

Fraser, please reopen if I'm mistaken.

Comment 12 Fraser Tweedale 2016-05-11 00:26:47 UTC
Petr, that's correct.

Comment 13 Martin Bašti 2016-05-11 12:37:58 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5885

Comment 14 Martin Bašti 2016-05-11 12:43:44 UTC
Reopening BZ, we received community patch for this issue.

Comment 15 Martin Bašti 2016-05-11 12:56:03 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2df25cb359723dd72077c60a12bc037d5c77f931

Comment 17 Kaleem 2016-09-20 10:26:20 UTC
Verified.

IPA Version:
============
[root@dhcp207-129 test]# rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64
[root@dhcp207-129 test]#

Please find the attached console output for verification.

Comment 18 Kaleem 2016-09-20 10:26 UTC
Created attachment 1202815 [details]
console output with verification steps

Comment 20 errata-xmlrpc 2016-11-04 05:53:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.