Created attachment 1154546 [details] shell script to reproduce issue Description of problem: While requesting user certificates for normal IPA user ipa cert-request causes internal server error. Please see shell script attached for reproduction of issue. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.15.x86_64 How reproducible: 100% Steps to Reproduce: 1.Run shell script given in attachment Actual results: ipa cert-request throws an internal server error message. See attachment for log Expected results: Command should be successful.
Created attachment 1154547 [details] httpd_error_log
Created attachment 1154548 [details] certprofile configuration file used by shell script
Steps to reproduce: 1. Install IPA server 2. Download Cert profile configuration file in local directory 3. Download and run given shell script in same local directory
Seems that either dogtag returns malformatted xml or not a xml and get_parse_result_xml doesn't catch and exception.
I did not investigate further, Fraser could you look at it?
This line in the profile config: policyset.serverCertSet.1.default.params.name=userprofile is the problem. It must be a DN with placeholders for info read from CSR, e.g. policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST
There are two other aspects to this: - The bad configuration results in NPE in Dogtag, which is what causes the non-XML response. I filed upstream ticket[1] and patch is imminent. - The non-XML response could be handled better in FreeIPA. It could have a fallback if the response cannot be parsed as XML. [1] https://fedorahosted.org/pki/ticket/2317
Thi pki-core issue doesn't depend on the IPA, it's vice-versa. Per ipa triage, I'm closing this bug, the IPA part, as won't fix. Reasoning: it is true that IPA code doesn't handle the non-xml response well, but the response happens only on dogtag internal error. Given that dogtag is part of IPA, reporting "internal server error" is in fact correct.
I think rather than showing "internal server error" message to user, we should show informative message. Here is the patch on mailing list which provides a graceful error message to user - https://www.redhat.com/archives/freeipa-devel/2016-May/msg00166.html
IIUIC the pki-core fix will cause that properly formed XML error will be send from PKI to IPA and then IPA will show a graceful error message. Fraser, please reopen if I'm mistaken.
Petr, that's correct.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5885
Reopening BZ, we received community patch for this issue.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2df25cb359723dd72077c60a12bc037d5c77f931
Verified. IPA Version: ============ [root@dhcp207-129 test]# rpm -q ipa-server ipa-server-4.4.0-12.el7.x86_64 [root@dhcp207-129 test]# Please find the attached console output for verification.
Created attachment 1202815 [details] console output with verification steps
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html