Bug 2228355 - ipa-healthcheck misleading "Internal server error 'Link'" when use RHEL8 on RHEL9
Summary: ipa-healthcheck misleading "Internal server error 'Link'" when use RHEL8 on R...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: idm-cs-qe-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-02 07:22 UTC by Ding-Yi Chen
Modified: 2023-08-02 19:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-164262 0 None None None 2023-08-02 19:01:46 UTC

Description Ding-Yi Chen 2023-08-02 07:22:45 UTC 
Description of problem:

In IPA domain has both RHEL 8 and RHEL 9 servers.
 
Following error occurs when using RHEL8 ipa-healthcheck 

    % ipa-healthcheck --verbose --debug --failures-only --check ClonesConnectivyAndDataCheck --source pki.server.healthcheck.clones.connectivity_and_data 
    ...
    Calling check <pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck object at 0x7f815a2d0e80>                                                    
    Entering ClonesConnectivityCheck : pki-tomcat                                                                                                                                
    ...
    https://rhel9.example.com:443 "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 316                                                                                             
    Internal server error 'Link' 
    [
      {
        "source": "pki.server.healthcheck.clones.connectivity_and_data",
        "check": "ClonesConnectivyAndDataCheck",
        "result": "ERROR",
    ...
        "kw": {
          "status": "ERROR:  pki-tomcat : Internal error testing CA clone. Host: rhel9.example.com Port: 443"
        }
      }
    ]


However, running the same command on RHEL9 have no error. 

This check essentially get 3 certificates using something similar to

    kinit admin
    JSON_REQUEST='{ }'
    curl -v -b ~/cookiejar -c ~/cookiejar --negotiate -u :  -H "Content-Type:application/json" -H "Accept:application/json" -H Referer:https://$IPA_SERVER/ipa ${JSON_REQUEST:+-d "$JSON_REQUEST"} https://$IPA_SERVER/ca/rest/certs/search\?size=3 | jq


Using above command on RHEL 8, there is a `Link` attribute like:

    {
    ...
      "entries": [
        {
          "id": "0x1",
          "SubjectDN": "CN=Certificate Authority,O=EXAMPLE.COM",
          "IssuerDN": "CN=Certificate Authority,O=EXAMPLE.COM,
    ...
          "Link": {
            "rel": "self",
            "href": "https://rhel8.example.com/ca/rest/certs/0x1",
            "type": "application/xml"
          }
        },
    ...
    }


On RHEL 9, no `Link` attribute:

    {
    ...
      "entries": [
        {
          "id": "0x1",
          "SubjectDN": "CN=Certificate Authority,O=EXAMPLE.COM",
          "IssuerDN": "CN=Certificate Authority,O=EXAMPLE.COM,
    ...
        },
    ...



This cause the following code to have exception 

    class CertRequestInfoCollection(object):
    ...
        @classmethod
        def from_json(cls, json_value):
            """ Populate object from JSON input """
            ret = cls()
            cert_req_infos = json_value['entries']
            if not isinstance(cert_req_infos, list):
                ret.cert_request_info_list.append(
                    CertRequestInfo.from_json(cert_req_infos))
            else:
                for cert_info in cert_req_infos:
                    ret.cert_request_info_list.append(
                        CertRequestInfo.from_json(cert_info))

            links = json_value['Link']      <#### KeyError: 'Link'
            if not isinstance(links, list):
                ret.links.append(pki.Link.from_json(links))
            else:
                for link in links:
                    ret.links.append(pki.Link.from_json(link))

            return ret


Thus the error message


    Internal server error 'Link'


Version-Release number of selected component (if applicable):

python3-idm-pki-10.14.3-1.module+el8.8.0+18059+6d4394a9.noarch
ipa-healthcheck-0.12-1.module+el8.8.0+17582+6bf5bf91.noarch

How reproducible:
Always from RHEL 8 IPA server to query RHEL9 IPA server

Steps to Reproduce:
0. IPA domain has both RHEL 8 server and RHEL 9 server, both are CA
1. On RHEL 8, run 

    ipa-healthcheck --verbose --debug --failures-only --check ClonesConnectivyAndDataCheck --source pki.server.healthcheck.clones.connectivity_and_data 


Actual results:
Error message:

    Internal server error 'Link'

Expected results:

No error

Additional info:
Note You need to log in before you can comment on or make changes to this bug.