Created attachment 1154546 [details]
shell script to reproduce issue
Description of problem:
While requesting user certificates for normal IPA user ipa cert-request causes internal server error.
Please see shell script attached for reproduction of issue.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Run shell script given in attachment
ipa cert-request throws an internal server error message.
See attachment for log
Command should be successful.
Created attachment 1154547 [details]
Created attachment 1154548 [details]
certprofile configuration file used by shell script
Steps to reproduce:
1. Install IPA server
2. Download Cert profile configuration file in local directory
3. Download and run given shell script in same local directory
Seems that either dogtag returns malformatted xml or not a xml and get_parse_result_xml doesn't catch and exception.
I did not investigate further, Fraser could you look at it?
This line in the profile config:
is the problem. It must be a DN with placeholders for info read from CSR, e.g.
There are two other aspects to this:
- The bad configuration results in NPE in Dogtag, which is what causes
the non-XML response. I filed upstream ticket and patch is imminent.
- The non-XML response could be handled better in FreeIPA. It could have
a fallback if the response cannot be parsed as XML.
Thi pki-core issue doesn't depend on the IPA, it's vice-versa.
Per ipa triage, I'm closing this bug, the IPA part, as won't fix. Reasoning: it is true that IPA code doesn't handle the non-xml response well, but the response happens only on dogtag internal error. Given that dogtag is part of IPA, reporting "internal server error" is in fact correct.
I think rather than showing "internal server error" message to user, we should show informative message.
Here is the patch on mailing list which provides a graceful error message to user - https://www.redhat.com/archives/freeipa-devel/2016-May/msg00166.html
IIUIC the pki-core fix will cause that properly formed XML error will be send from PKI to IPA and then IPA will show a graceful error message.
Fraser, please reopen if I'm mistaken.
Petr, that's correct.
Reopening BZ, we received community patch for this issue.
[root@dhcp207-129 test]# rpm -q ipa-server
Please find the attached console output for verification.
Created attachment 1202815 [details]
console output with verification steps
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.