Bug 440084 - RA Installation Error Message Needs Improvement
RA Installation Error Message Needs Improvement
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: RA (Show other bugs)
1.0
All Linux
medium Severity low
: 1.0
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2008-04-01 13:35 EDT by Jack Magne
Modified: 2015-01-04 18:31 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-06 17:20:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jack Magne 2008-04-01 13:35:19 EDT
Description of problem:

The RA or registration authority component of Dogtag serves as an intermediary
between users of Dogtag and the Dogtag CA or certificate authority. Certificate
requests are made through the RA and passed on to the CA.

This interaction requires a working communications channel between the two.
During the RA's installation wizard procedure, the user may see an extremely
unhelpful error message such as the following:

CA response: Authorization Error. Please also check previous related panels

The above error occurs when the user attempts to navigate past the
"SubjectNames" panel. Obviously, under the hood, the wizard is trying have the
RA actually contact the CA. This attempt has failed.

Investigation has concluded that a firewall issue between the RA and CA can
often result in this very problem.

Therefore, what we need to do is the following:

1. At an early stage of the RA's wizard, explicitly mention to the user that
they should make sure they have configured their firewall correctly, such that
Dogtag will operate properly.

2. In the case where the user unfortunately reaches the error condition listed
above, change the cryptic error message to gently guide the user that the
firewall may be an issue and they should check and or adjust their firewall
settings.


Version-Release number of selected component (if applicable):

Dogtag Certificate System 1.0.0


How reproducible:

Always, if the firewall is set to block access.


Steps to Reproduce:
1. Install the Dogtag Certificate System CA component on a unique host.
2. Make sure that the firewall on this host is set to block the ports that the
CA is listening on.
3. On another unique host, attempt to install the Dogtag RA.
4. Proceed until the "SubjectNames" panel is shown.
5. Attempt to navigate to the next panel.

  
Actual results:

The user will be presented with a generic error message that will not point them
in the direction of firewall issues.

CA response: Authorization Error. Please also check previous related panels

Expected results:



We would like to see the user get a message that tells the user to take a look
at their firewall settings as a possible solution to this problem.

Additional info:

Also, we should put a firewall related warning near the beginning of the RA
install process. We have a perl script "pkicreate" that prints out some useful
information after the RA instance is created. We could easily add some firewall
related text to this diaplay.
Comment 1 Jack Magne 2008-04-02 14:55:35 EDT
The following is a proposed patch designed to improve the error message
described above. It turns out that both the RA and TPS use similar installation
wizard code that can benefit from this fix:

 svn diff
Index: linux/setup/pki-setup.spec
===================================================================
--- linux/setup/pki-setup.spec  (revision 9)
+++ linux/setup/pki-setup.spec  (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      1
+%define base_release      2
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -217,7 +217,10 @@
 ###############################################################################
 
 %changelog
+* Tue Apr  1 2008 Jack Magne <jmagne@redhat.com>  1.0.0-2
+- Fix for Bug# 440084 - Installation Error Messages Need Improvement.
 * Tue Feb 19 2008 PKI Team <pki-devel@redhat.com> 1.0.0-1
 - Initial open source version based upon proprietary
   Red Hat Certificate System (RHCS) 7.3.
 
+
Index: linux/ra/pki-ra.spec
===================================================================
--- linux/ra/pki-ra.spec        (revision 9)
+++ linux/ra/pki-ra.spec        (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      1
+%define base_release      2
 %define base_group        System Environment/Daemons
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -264,6 +264,8 @@
 ###############################################################################
 
 %changelog
+* Tue Apr 1 2008 Jack Magne <jmagne@redhat.com> 1.0.0-2
+- Fix for bug#440084 - Subsystem Installation Error Message Needs Improvement.
 * Tue Feb 19 2008 PKI Team <pki-devel@redhat.com> 1.0.0-1
 - Initial open source version based upon proprietary
   Red Hat Certificate System (RHCS) 7.3.
Index: linux/tps/pki-tps.spec
===================================================================
--- linux/tps/pki-tps.spec      (revision 9)
+++ linux/tps/pki-tps.spec      (working copy)
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      1
+%define base_release      2
 %define base_group        System Environment/Daemons
 %define base_vendor       Red Hat, Inc.
 %define base_license      LGPLv2 with exceptions
@@ -312,6 +312,8 @@
 ###############################################################################
 
 %changelog
+* Tue Apr 1 2008 Jack Magne <jmagne@redhat.com> 1.0.0-2
+- Fix for bug#440084 - Subsystem Installation Error Message Needs Improvement.
 * Tue Feb 19 2008 PKI Team <pki-devel@redhat.com> 1.0.0-1
 - Initial open source version based upon proprietary
   Red Hat Certificate System (RHCS) 7.3.
Index: base/setup/pkicreate
===================================================================
--- base/setup/pkicreate        (revision 9)
+++ base/setup/pkicreate        (working copy)
@@ -2922,6 +2922,12 @@
         . "console/config/login?pin=$random\n",
           "log" );
 
+    print( STDOUT
+          "Before proceeding with the configuration, make sure \n"
+        . "the firewall settings of this machine permit proper \n"
+        . "access to this subsystem. \n");
+
+
     # If it exists, close the log file
     close_logfile( $logfile );
 
Index: base/ra/lib/perl/PKI/RA/NamePanel.pm
===================================================================
--- base/ra/lib/perl/PKI/RA/NamePanel.pm        (revision 9)
+++ base/ra/lib/perl/PKI/RA/NamePanel.pm        (working copy)
@@ -300,6 +300,10 @@
                 $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
                 $content = $1;
 
+                if ($content eq "") {
+                   $::symbol{errorString} = "CA returned no response. Please
check that the CA is available and also check the host's firewall settings.";
+                   return 0; 
+                }
 
                 my $parser = XML::Simple->new();
                 &PKI::RA::Wizard::debug_log("NamePanel: response content= " .
$content);
@@ -308,7 +312,7 @@
                 if ($status ne "0") {
                     my $error = $response->{Error};
                     &PKI::RA::Wizard::debug_log("NamePanel: Error = $error");
-                    $::symbol{errorString} = "CA response: $error.  Please also
check previous related panels.";
+                    $::symbol{errorString} = "CA response: $error.  Please
check previous related panels." . " Please check that the CA is available and
also check the host's firewall settings";
                     return 0;
                 }
                 $cert = $response->{Requests}->{Request}->{b64};
Index: base/tps/lib/perl/PKI/TPS/NamePanel.pm
===================================================================
--- base/tps/lib/perl/PKI/TPS/NamePanel.pm      (revision 9)
+++ base/tps/lib/perl/PKI/TPS/NamePanel.pm      (working copy)
@@ -299,6 +299,10 @@
                 $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
                 $content = $1;
 
+                if ($content eq "") {
+                   $::symbol{errorString} = "CA returned no response. Please
check that the CA is available and also check the host's firewall settings.";
+                   return 0;
+                }
 
                 my $parser = XML::Simple->new();
                 &PKI::TPS::Wizard::debug_log("NamePanel: response content= " .
$content);
@@ -307,9 +311,10 @@
                 if ($status ne "0") {
                     my $error = $response->{Error};
                     &PKI::TPS::Wizard::debug_log("NamePanel: Error = $error");
-                    $::symbol{errorString} = "CA response: $error.  Please also
check previous related panels.";
+                    $::symbol{errorString} = "CA response: $error.  Please
check previous related panels." . " Please check that the CA is available and
also check the host's firewall settings.";
                     return 0;
                 }
+
                 $cert = $response->{Requests}->{Request}->{b64};
                 &PKI::TPS::Wizard::debug_log("NamePanel: new cert generated= "
. $cert);
Comment 2 Matthew Harmsen 2008-04-02 16:43:27 EDT
[comment #1] +mharmsen
-- NOTE:  Please update these three download packages for both 32-bit and
          64-bit downloads from pki.fedoraproject.org.
Comment 3 Jack Magne 2008-04-02 21:22:14 EDT
32 and 64 bit builds completed for the 3 packages. Final step is to install them
on the yum server.
Comment 4 Jack Magne 2008-04-04 15:30:07 EDT
The following new packages have been pushed:

32-bit RPMS:

pki-ra-1.0.0-2.fc8.noarch.rpm
pki-setup-1.0.0-2.fc8.noarch.rpm
pki-tps-1.0.0-2.fc8.i386.rpm

64-bit RPMS:

pki-ra-1.0.0-2.fc8.noarch.rpm
pki-setup-1.0.0-2.fc8.noarch.rpm
pki-tps-1.0.0-2.fc8.x86_64.rpm

SRPMS:

pki-setup-1.0.0-2.fc8.src.rpm
pki-ra-1.0.0-2.fc8.src.rpm      
pki-tps-1.0.0-2.fc8.src.rpm
Comment 5 Chandrasekar Kannan 2008-08-26 20:27:42 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 6 Jenny Galipeau 2009-06-15 09:54:39 EDT
Error when CA is unreachable because of firewall or CA service stopped:

 Security Domain HTTPS Admin URL not found 

There is no mention of checking firewall in the error or in the /var/log/pki-ra/error_log
Comment 10 Jim Kinney 2010-09-27 16:44:00 EDT
The connection still fails on Fedora 12 with pki-ra 1.3 even with iptables turned off. The error message is updated to check for firewall issues. However this setup I am using is all on a single machine and all local->local connections are allowed. There is a single error found in the /var/log/pki-ra/error file:
[Mon Sep 27 15:27:45 2010] -e: Use of uninitialized value $host in string eq at /var/lib/pki-ra/lib/perl/PKI/RA/NamePanel.pm line 480.
Comment 11 Nathan Kinder 2012-06-06 17:20:52 EDT
This issue was fixed by adding a warning about firewall settings during install.  I don't think it's worth saying that a firewall might be the culprit any time we have a connection failure.

Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.