2192625 – Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError

Bug 2192625 - Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError [NEEDINFO]

Summary: Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationErro...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.2
Hardware:	All
OS:	Unspecified
Priority:	urgent
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Mohammad Rizwan
Docs Contact:
URL:
Whiteboard:
Depends On:	2164348 1959057
Blocks:	2164347
TreeView+	depends on / blocked

Reported:	2023-05-02 14:46 UTC by Rob Crittenden
Modified:	2023-07-31 22:37 UTC (History)
CC List:	16 users (show)
Fixed In Version:	ipa-4.10.2-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2164348
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	frenaud: needinfo? (sumenon)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9836	0	None	None	None	2023-05-02 14:47:20 UTC
Red Hat Issue Tracker	RHELPLAN-156215	0	None	None	None	2023-05-02 14:47:31 UTC

Comment 2 Florence Blanc-Renaud 2023-05-16 11:11:05 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/9e80616401fe878f4db9dcd5b6188c0b2039db53

Comment 3 Florence Blanc-Renaud 2023-05-16 15:35:49 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/b9b268e5ed497400b3525b0eec95e2ae4f039526

Comment 4 Rob Crittenden 2023-05-16 20:24:48 UTC

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/81a6b9ad2d42fecdd94e17fa7c888bbdea2daf3c

Comment 10 Mohammad Rizwan 2023-06-26 12:20:18 UTC

version:
ipa-server-4.10.2-1.el9.x86_64

Steps:
https://bugzilla.redhat.com/show_bug.cgi?id=2164348#c4

Actual result:

when number if cert is > nssizelimit

[root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
add: nssizelimit
nssizelimit: 100

modifying entry "uid=pkidbuser,ou=people,o=ipaca"


^C
[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)
[root@master ~]# 
[root@master ~]# 

when number of cert < nssizelimit

[root@master ~]# ldapmodify -D cn=Directory\ Manager -w Secret123
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: nssizelimit
nssizelimit: 200

modifying entry "uid=pkidbuser,ou=people,o=ipaca"

^C
[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# 
[root@master ~]# ipa cert-find
------------------------
100 certificates matched
------------------------


[..]

  Issuing CA: ipa
  Subject: CN=user88,O=TESTREALM.TEST
  Issuer: CN=Certificate Authority,O=TESTREALM.TEST
  Not Before: Mon Jun 26 11:32:56 2023 UTC
  Not After: Thu Jun 26 11:32:56 2025 UTC
  Serial number: 100
  Serial number (hex): 0x64
  Status: VALID
  Revoked: False
------------------------------
Number of entries returned 100
------------------------------
[root@master ~]#


Based on above observations, marking the bug verified.

Note You need to log in before you can comment on or make changes to this bug.