Bug 710372 - Not able to open the Manage Certificate from DS-console
Summary: Not able to open the Manage Certificate from DS-console
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Directory Console
Version: 8.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Keywords: Reopened
Depends On: 717730 717738
Blocks: 434915
TreeView+ depends on / blocked
 
Reported: 2011-06-03 08:23 UTC by Amita Sharma
Modified: 2016-05-06 14:32 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-05-06 14:32:41 UTC
rmeggins: needinfo+


Attachments (Terms of Use)
Error (88.93 KB, image/png)
2011-06-03 08:23 UTC, Amita Sharma
no flags Details
0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch (6.59 KB, patch)
2011-06-29 17:55 UTC, Rich Megginson
nkinder: review+
nhosoi: review+
Details | Diff

Description Amita Sharma 2011-06-03 08:23:23 UTC
Created attachment 502755 [details]
Error

Description of problem:
Not able to open the Manage Certificate from DS-console

Steps to Reproduce:
1. Trying to open manage Certificate from 389-console, giving error as PFA.

Logs:
[root@testvm ~]# tail -f /var/log/dirsrv/slapd-testvm/errors
[03/Jun/2011:13:46:20 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting up
[03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5AppInit: fetched backend dbEnv (1216210)
[03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5DBOpen: opened 0 existing databases in /var/lib/dirsrv/slapd-testvm/changelogdb
[03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - agmtlist_config_init: found 0 replication agreements in DIT
[03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-testvm/changelogdb/c2c0f682-7ada11e0-9f92b85c-b3c05de4_4dde02460000000b0000.db4
[03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - cl5GetUpperBoundRUV: could not find DB object for replica
[03/Jun/2011:13:46:20 +051800] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[03/Jun/2011:13:46:20 +051800] - Listening on All Interfaces port 636 for LDAPS requests
[03/Jun/2011:13:46:40 +051800] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-testvm/changelogdb/c2c0f682-7ada11e0-9f92b85c-b3c05de4_4dde02460000000b0000.db4
[03/Jun/2011:13:46:40 +051800] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica
^C
[root@testvm ~]# tail -f /var/log/dirsrv/slapd-testvm/access
[03/Jun/2011:13:46:39 +051800] conn=10 fd=66 slot=66 SSL connection from 10.65.201.218 to 10.65.201.218
[03/Jun/2011:13:46:39 +051800] conn=9 op=2 UNBIND
[03/Jun/2011:13:46:39 +051800] conn=9 op=2 fd=68 closed - U1
[03/Jun/2011:13:46:39 +051800] conn=10 SSL 256-bit AES
[03/Jun/2011:13:46:40 +051800] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[03/Jun/2011:13:46:40 +051800] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=directory manager"
[03/Jun/2011:13:46:40 +051800] conn=10 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[03/Jun/2011:13:46:40 +051800] conn=10 op=1 RESULT err=0 tag=101 nentries=482 etime=0
[03/Jun/2011:13:46:40 +051800] conn=10 op=2 UNBIND
[03/Jun/2011:13:46:40 +051800] conn=10 op=2 fd=66 closed - U1

Comment 1 Rich Megginson 2011-06-03 14:11:40 UTC
Can you attach the /var/log/dirsrv/admin-serv/error from the errors log?

Comment 2 Amita Sharma 2011-06-03 17:26:26 UTC
yeah, Sure Rich,

Here it is :

[Fri Jun 03 13:42:35 2011] [notice] Access Host filter is: *.pnq.redhat.com
[Fri Jun 03 13:42:35 2011] [notice] Access Address filter is: *
[Fri Jun 03 13:42:38 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218
[Fri Jun 03 13:44:29 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218
[Fri Jun 03 13:44:54 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218
[Fri Jun 03 13:45:33 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218
[Fri Jun 03 13:46:26 2011] [notice] caught SIGTERM, shutting down
[Fri Jun 03 13:46:27 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Jun 03 13:46:28 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389]
[Fri Jun 03 13:46:28 2011] [notice] Access Host filter is: *.pnq.redhat.com
[Fri Jun 03 13:46:28 2011] [notice] Access Address filter is: *
[Fri Jun 03 13:46:29 2011] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations
[Fri Jun 03 13:46:29 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389]
[Fri Jun 03 13:46:29 2011] [notice] Access Host filter is: *.pnq.redhat.com
[Fri Jun 03 13:46:29 2011] [notice] Access Address filter is: *
[Fri Jun 03 13:46:39 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218

Comment 3 Rich Megginson 2011-06-03 17:36:46 UTC
Can you post the directory server access log from /var/log/dirsrv/slapd-testvm/access?  I'd like to see what is happening in the directory server from around the time of
[Fri Jun 03 13:46:28 2011] [crit] populate_tasks_from_server(): Unable to
search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server
Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for
LDAPConnection [testvm.pnq.redhat.com:389]
and
[Fri Jun 03 13:46:29 2011] [crit] populate_tasks_from_server(): Unable to
search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server
Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for
LDAPConnection [testvm.pnq.redhat.com:389]

Comment 4 Amita Sharma 2011-06-03 17:54:16 UTC
[03/Jun/2011:13:46:00 +051800] conn=1 op=80 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:00 +051800] conn=1 op=80 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:00 +051800] conn=1 op=81 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:00 +051800] conn=1 op=81 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:00 +051800] conn=1 op=82 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[03/Jun/2011:13:46:00 +051800] conn=1 op=82 RESULT err=0 tag=101 nentries=1 etime=0
[03/Jun/2011:13:46:00 +051800] conn=1 op=83 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:00 +051800] conn=1 op=83 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=84 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=84 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=85 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=85 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=86 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=86 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=87 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=87 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=88 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=88 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=89 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[03/Jun/2011:13:46:01 +051800] conn=1 op=89 RESULT err=0 tag=101 nentries=1 etime=0
[03/Jun/2011:13:46:01 +051800] conn=1 op=90 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:02 +051800] conn=1 op=90 RESULT err=32 tag=101 nentries=0 etime=1
[03/Jun/2011:13:46:02 +051800] conn=1 op=91 SRCH base="cn=replica,cn=dc\3Dtestnew\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:02 +051800] conn=1 op=91 RESULT err=32 tag=101 nentries=0 etime=0
[03/Jun/2011:13:46:02 +051800] conn=1 op=92 SRCH base="cn=replica,cn=dc\3Dtestnew\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[03/Jun/2011:13:46:03 +051800] conn=1 op=92 RESULT err=32 tag=101 nentries=0 etime=1
                                                                                                                                           7971,14       91%

Comment 5 Yi Zhang 2011-06-06 21:50:29 UTC
I tried and it opens fine for me. 

The place I tried is under "Tasks" tab in DS-console.
The build is on RHEL 6.1 32bit 

[i386.a yi@dhcp-118 /dstet/testcases/DS/6.0] rpm -qa | grep console
389-ds-console-1.2.5-1.el6.noarch
389-console-1.1.4-1.el6.noarch
idm-console-framework-1.1.7-1.el6.noarch
389-admin-console-1.1.7-1.el6.noarch
[i386.a yi@dhcp-118 /dstet/testcases/DS/6.0] rpm -qa | grep ds-base
389-ds-base-libs-1.2.8.2-1.el6.i686
389-ds-base-1.2.8.2-1.el6.i686

Comment 6 Rich Megginson 2011-06-07 03:00:00 UTC
Can we mark this as closed notabug?

Comment 9 Nathan Kinder 2011-06-23 15:24:00 UTC
Is this problem reproducible, or can it be closed?

Comment 10 Jenny Galipeau 2011-06-23 16:25:05 UTC
This can not be reproduced on the current release.  If it is found again,
please reopen with reproducible steps.

Comment 11 Rich Megginson 2011-06-29 17:55:15 UTC
Created attachment 510505 [details]
0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch

Comment 12 Noriko Hosoi 2011-06-29 18:09:03 UTC
Comment on attachment 510505 [details]
0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch

Looks good!
I'm just curious...  Originally, NSS_Shutdown failure was causing the problem.  It looks SSL/NSS APIs are all terse and log nothing even if any of them fails...  Could it be possible to report something if something wrong happens?  Or not necessary?

Comment 13 Rich Megginson 2011-06-29 18:23:27 UTC
(In reply to comment #12)
> Comment on attachment 510505 [details]
> 0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch
> 
> Looks good!
> I'm just curious...  Originally, NSS_Shutdown failure was causing the problem. 
> It looks SSL/NSS APIs are all terse and log nothing even if any of them
> fails...  Could it be possible to report something if something wrong happens? 
> Or not necessary?

Yes.  We should report a failure from NSS_Shutdown.  We don't even check the return value now.

Comment 14 Rich Megginson 2011-06-29 18:23:55 UTC
To ssh://git.fedorahosted.org/git/389/admin.git
   49799b2..814b7ec  master -> master
commit 814b7ecc9e245171a9abfcc17be8b9aa1f3fd047
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Tue Jun 28 17:34:45 2011 -0600
    Reviewed by: nkinder (Thanks!)
    Branch: master
    Fix Description: NSS_Initialize fails to open the cert db for the specified
    directory server because NSS_Shutdown failed.  That failed because of a
    memory leak in openldap using moznss:
    http://www.openldap.org/its/index.cgi?findid=6980
    and
    https://bugzilla.redhat.com/show_bug.cgi?id=717730
    The workaround is to use a new NSS InitContext to open the key/cert db.
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no

Comment 16 Amita Sharma 2011-07-07 07:24:09 UTC
For now I am following :

1. Setenforce 1
2. Try to open the manage certificate console window
3. It is opening fine.

Hence marking bug as VERIFIED.

Comment 17 Anthony Messina 2011-08-14 18:27:15 UTC
This seems to have been resolved as per instructions in: bug #712491


Note You need to log in before you can comment on or make changes to this bug.