1778090 – RFE: virt-v2v should improve the error message for wrong ca.pem file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1778090 - RFE: virt-v2v should improve the error message for wrong ca.pem file

Summary: RFE: virt-v2v should improve the error message for wrong ca.pem file

Keywords:
Status:	CLOSED DUPLICATE of bug 2062360
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	virt-v2v
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	beta
Target Release:	---
Assignee:	Virtualization Maintenance
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	V2V
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-29 09:54 UTC by liuzi
Modified:	2022-04-18 14:50 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-18 14:50:48 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description liuzi 2019-11-29 09:54:23 UTC

Description of problem:
virt-v2v should improve the error message for wrong ca.pem file 

Background:
If set rhv-verifypeer=true and give a wrong ca.pem,virt-v2v will pre-check the connection,then give a error info.but the error info not clear and direct.
pls refer to:
https://bugzilla.redhat.com/show_bug.cgi?id=1759441

Version-Release number of selected component (if applicable):
virt-v2v-1.40.2-15.module+el8.1.1+4955+f0b25565.x86_64
libguestfs-1.40.2-15.module+el8.1.1+4955+f0b25565.x86_64
libvirt-5.6.0-9.module+el8.1.1+4955+f0b25565.x86_64

How reproducible:
100%

Steps to Reproduce:
1.set rhv-verifypeer=true but give a wrong ca.pem file
# virt-v2v  -ic vpx://root.73.141/data/10.73.196.89/?no_verify=1 -o rhv-upload -os nfs_data -of raw -b ovirtmgmt -n ovirtmgmt esx6.5-win7-x86_64 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -on esx6.5-win7-x86_64jlM -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /tmp/rhvpasswd -oo rhv-cluster=Default -oo rhv-direct -ip /tmp/passwd -oo rhv-verifypeer=true -oo rhv-cafile=/tmp/ca.pem
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
pycurl.error: (35, 'error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/tmp/v2v.2ELeLk/rhv-upload-precheck.py", line 67, in <module>
    case_sensitive=True,
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/services.py", line 5879, in list
    return self._internal_get(headers, query, wait)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 202, in _internal_get
    context = self._connection.send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 370, in send
    return self.__send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 388, in __send
    self.authenticate()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 384, in authenticate
    self.__parse_error(e)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 932, in __parse_error
    six.reraise(clazz, clazz(error_msg), sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/six.py", line 695, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
ovirtsdk4.Error: Error while sending HTTP request: (35, 'error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm')
virt-v2v: error: failed server prechecks, see earlier errors

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]


Actual results:
Virt-v2v will give a error info but it not clear enough.


Expected results:
When use a wrong ca.pem file ,virt-v2v can show clear error info.

Additional info:

Comment 3 RHEL Program Management 2021-05-29 07:29:45 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 4 Richard W.M. Jones 2021-05-29 07:43:45 UTC

This bug was closed in error by an automated process that we do not control.  Reopening.

Comment 5 Klaus Heinrich Kiwi 2021-08-16 21:08:23 UTC

(In reply to liuzi from comment #0)
<...snip...>
> rhv-verifypeer=true -oo rhv-cafile=/tmp/ca.pem
> Traceback (most recent call last):
>   File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381,
> in authenticate
>     self._sso_token = self._get_access_token()
>   File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617,
> in _get_access_token
>     sso_response = self._get_sso_response(self._sso_url, post_data)
>   File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694,
> in _get_sso_response
>     curl.perform()
> pycurl.error: (35, 'error:0609E09C:digital envelope
> routines:pkey_set_type:unsupported algorithm')
> 

I'll be honest when saying that I think the treatment of this error looks fine, especially if we consider similar failures on other tools - after all the types/formats of certificates could very well be a factor of the underlying crypto library in use, and I'm not sure we should be trying to parse it, much less give very detailed error messages of why it failed..

In cryptography and authentication, it is pretty common to have an 'all-or-nothing' approach.. So I'll tentatively close this, feel free to reopen.

Comment 11 RHEL Program Management 2022-02-18 07:27:16 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 12 Richard W.M. Jones 2022-02-18 08:29:10 UTC

This bug is not stale.  It was closed by a process we have no control over.
Please ignore the previous comment.

Comment 13 Laszlo Ersek 2022-04-18 14:50:48 UTC

This is the first time I'm reading through this bug, and even before
reading Klaus's comment 5, I had arrived at the exact same opinion.

OpenSSL -- crypto in general -- error messages are *notoriously* varied,
there are many factors that can go wrong, especially with OS-level
crypto defaults advancing continuously and asynchronously to most
applications.

The error message is:

> pycurl.error: (35, 'error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm')

First we have the "compressed" OpenSSL error code, 0609E09C, but then
pycurl actually decodes that for us with ERR_GET_LIB, ERR_GET_FUNC,
ERR_GET_REASON
<https://www.openssl.org/docs/man1.1.1/man3/ERR_GET_LIB.html>:

- library: digital envelope routines
- function: pkey_set_type
- reason: unsupported algorithm

It's entirely possible that the CA.pem file in this case is *valid*,
only the crypto settings on the host where virt-v2v runs (and
consequently, where ovirtsdk4 runs) consider the public key algorithm in
the certificate *too weak*. How is virt-v2v supposed to explain that? It
is an entire OS-level configuration problem, not an application (or even
remote hypervisor) problem.

(

  Just the other day I helped Xueqiang Wei in an offlist thread (msgid
  <1adccb18-f419-4546-48e2-8f68498ef7fc>) resolve an issue
  precisely like this, with regard to UEFI HTTPS Boot. The instructions
  I had provided in
  <https://bugzilla.redhat.com/show_bug.cgi?id=1906500#c27>, for
  creating a CA certificate, no longer worked for Xueqiang Wei. Namely,
  the Certificate Signing Request (CSR) created on a RHEL7 host was now
  impossible to sign on RHEL9:

> Certificate request self-signature did not match the contents
> 80FBFB109E7F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
> 80FBFB109E7F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:201:

  Note the reason code: "invalid digest". That was utterly wrong; there
  was nothing broken with the CSR. Instead, the "genkey" command on the
  RHEL7 machine used such algorithms for the CSR that the RHEL9 host
  considered "weak". After running the command

> update-crypto-policies --set LEGACY

  on the RHEL9 host, the same CSR (from RHEL7) could be signed without
  issues.

)

There's an arms' race between RHEL constantly tightening its crypto
requirements, and virt-v2v having to connect to less-than-bleeding-edge
hypervisors, both on the source side and the destination size. It's a
conflict of interest, and whenever things fall apart because of that,
end-users may encounter the wildest and most misleading error messages,
from deep call stacks in the crypto libs, and we can't do anything about
that in virt-v2v.

Therefore, I'm now going to close this as a duplicate of bug 2062360 now
(even though I'm pretty unconvinced that we should attempt handling this
symptom even under bug 2062360; the real issue is bug 2064740!). Thanks.

*** This bug has been marked as a duplicate of bug 2062360 ***

Note You need to log in before you can comment on or make changes to this bug.