1974226 – Errors from certutil are not propagated

Bug 1974226 - Errors from certutil are not propagated

Summary: Errors from certutil are not propagated

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	11.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	dirsrv-11.4
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-21 07:12 UTC by thierry bordaz
Modified:	2021-10-25 06:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:	redhat-ds-11-8050020210917175916.d3df4063
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 06:36:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 4736	None	open	Errors from certutil are not propagated	2021-06-21 07:25:02 UTC
Red Hat Issue Tracker	IDMDS-1521	None	None	None	2021-08-04 08:04:26 UTC
Red Hat Product Errata	RHSA-2021:3955	None	None	None	2021-10-25 06:36:33 UTC

Description thierry bordaz 2021-06-21 07:12:26 UTC

Description of problem:
When an error occurs with certutil, stderr output from it is not printed:

[root@fedora ~]# dsctl localhost tls generate-server-cert-csr -s "bad" 
Error: Command '['/usr/bin/certutil', '-R', '--keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment', '--nsCertType', 'sslClient,sslServer', '--extKeyUsage', 'clientAuth,serverAuth', '-s', 'bad', '-8', 'fedora', '-g', '4096', '-d', '/etc/dirsrv/slapd-localhost', '-z', '/etc/dirsrv/slapd-localhost/noise.txt', '-f', '/etc/dirsrv/slapd-localhost/pwdfile.txt', '-a', '-o', '/etc/dirsrv/slapd-localhost/Server-Cert.csr']' returned non-zero exit status 255.

It just states that the exit status is 255, but no certutil output, which in this case is

certutil -s: improperly formatted name: "bad"

In lib389/nss_ssl.py we have many places with statements like this that show this behaviour:

        result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
        self.log.debug("nss output: %s", result)


Version-Release number of selected component (if applicable):
8.x

How reproducible:
systematic

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 mreynolds 2021-08-04 03:39:09 UTC

Upstream ticket:

https://github.com/389ds/389-ds-base/issues/4736

Comment 2 Viktor Ashirov 2021-08-10 15:02:48 UTC

Moving to ASSIGNED, because certutil gets called twice and asks for the password on instance creation: https://github.com/389ds/389-ds-base/issues/4736#issuecomment-896105921

Comment 3 mreynolds 2021-08-10 16:33:09 UTC

Fixed upstream...

Comment 8 errata-xmlrpc 2021-10-25 06:36:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3955

Note You need to log in before you can comment on or make changes to this bug.