1926910 – ipa cert-remove-hold <invalid_cert_id> returns an incorrect error message

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1926910 - ipa cert-remove-hold <invalid_cert_id> returns an incorrect error message

Summary: ipa cert-remove-hold <invalid_cert_id> returns an incorrect error message

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-09 16:23 UTC by Sumedh Sidhaye
Modified:	2021-05-18 15:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.9.2-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:48:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sumedh Sidhaye 2021-02-09 16:23:03 UTC

Description of problem:
ipa cert-remove-hold <invalid_cert_id> returns an incorrect error message

Version-Release number of selected component (if applicable):
ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64
pki-base-10.10.3-1.module+el8.4.0+9456+88377f87.noarch

How reproducible:
Always

Steps to Reproduce:
1. run `ipa cert-remove-hold 9999` or `ipa cert-remove-hold <invalid_cert_id>`
2. 
3.

Actual results:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
is returned

Expected results:
Earlier the same command used to return :
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Certificate serial number)

or 

CertNotFoundException: Certificate ID 0x270f not found

should be returned

Additional info:
The pki equivalent command returns the correct error message
[root@ci-vm-10-0-139-78 ~]# pki cert-release-hold 9999
WARNING: pki cert has been deprecated. Use pki ca-cert instead.
WARNING: BAD_CERT_DOMAIN encountered on 'CN=server.testrealm.test,OU=pki-tomcat,O=testrealm.test Security Domain' indicates a common-name mismatch
CertNotFoundException: Certificate ID 0x270f not found
[root@ci-vm-10-0-139-78 ~]# rpm -q pki-ca
pki-ca-10.10.3-1.module+el8.4.0+9456+88377f87.noarch
[root@ci-vm-10-0-139-78 ~]#

Comment 1 Florence Blanc-Renaud 2021-02-09 16:37:32 UTC

The issue is easily reproducible on RHEL 8.4. The command
# ipa cert-show 9999
is also returning a wrong message (Unable to communicate with CMS instead of Certificate not found).

This is likely a regression introduced by https://github.com/freeipa/freeipa/commit/dcdcd1ce88a6d5ed5997f50758dc6fd025df5f41 ipa cert-show: fix the code setting revocation reason

Before the fix, the get_certificate method() was raising a HTTPRequestError but after the fix, a CertificateOperationError.

Comment 2 Rob Crittenden 2021-02-09 16:49:39 UTC

At some point the CA changed their response to be more REST-like so return a 404 when something is not found. This short-circuits pulling the exact error message returned.

I'd have sworn I opened a BZ or a ticket on this but I can't find it.

Comment 3 Florence Blanc-Renaud 2021-02-12 09:34:59 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8704

Comment 4 Alexander Bokovoy 2021-02-15 08:02:13 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/45d7d15c1186bc563393ae0bf131ccf94b1d12c4
https://pagure.io/freeipa/c/55c7e2121ea78eec102560d176ccb2c74146caf7

master:

ec6698f cert plugin: propagate the error for non-existent cert
4672d61 xmlrpc tests: add a test for cert-remove-hold

Comment 5 Alexander Bokovoy 2021-02-15 13:23:10 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/137b39cf93d209fcad78007585dea2501aea632a

Comment 6 Alexander Bokovoy 2021-02-15 18:30:56 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/9854c399da83a30259ccec9cf9277ffd97f7cd67

Comment 10 Sumedh Sidhaye 2021-02-19 07:18:43 UTC

Build used for verification:


2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho]  +-----------------------------[RPMs & OS: [RedHat - x86_64]-----------------------------+
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       ipa-client-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       ipa-client-common-4.9.2-1.module+el8.4.0+9973+3d202164.noarch
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       ipa-server-common-4.9.2-1.module+el8.4.0+9973+3d202164.noarch
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       ipa-server-dns-4.9.2-1.module+el8.4.0+9973+3d202164.noarch
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] |       sssd-ipa-2.4.0-8.el8.x86_64
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho] ------------------------------------------------------------------------------------------
2021-02-19T07:05:32+0000 [ci-vm-10-0-154-22.ho]  +-----------------------------------------------------------------------------------------+


Test Result:

2021-02-19T06:40:39+0000 [ci-vm-10-0-154-22.ho] ::   remove hold invalid id returns proper error message and no internal error bz999722
2021-02-19T06:40:39+0000 [ci-vm-10-0-154-22.ho] ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
2021-02-19T06:40:39+0000 [ci-vm-10-0-154-22.ho] :: [ 01:40:39 ] :: [   LOG    ] :: Test for invalid id: [9999], expected error msg: [Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)]
2021-02-19T06:40:41+0000 [ci-vm-10-0-154-22.ho] ipa: ERROR: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x270f not found (404)
2021-02-19T06:40:41+0000 [ci-vm-10-0-154-22.ho] :: [ 01:40:40 ] :: [   PASS   ] :: remove-hold an invalid cert failed as expected 
2021-02-19T06:40:41+0000 [ci-vm-10-0-154-22.ho] :: [ 01:40:40 ] :: [   LOG    ] :: Test for invalid id: [abc], expected error msg: [Non-2xx response from CA REST API: 404. Certificate ID 0xabc not found (404)]
2021-02-19T06:40:42+0000 [ci-vm-10-0-154-22.ho] ipa: ERROR: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0xabc not found (404)
2021-02-19T06:40:42+0000 [ci-vm-10-0-154-22.ho] :: [ 01:40:42 ] :: [   PASS   ] :: remove-hold an invalid cert failed as expected 



Based on above automated test results marking Bugzilla verified.

Comment 13 errata-xmlrpc 2021-05-18 15:48:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.