From 4d075fdd2aa55730dd54bb46eb3477c06eea626e Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Jul 31 2024 16:13:53 +0000
Subject: ipa-migrate - properly handle invalid certificates


A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.

Fixes: https://pagure.io/freeipa/issue/9642

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 20f59f8..e219374 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -761,6 +761,12 @@ class IPAMigrate():
             try:
                 ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
                                      start_tls=True)
+            except ValueError:
+                # Most likely invalid certificate
+                self.handle_error(
+                    "Failed to connect to remote server: "
+                    "CA certificate is invalid"
+                )
             except (
                 ldap.LDAPError,
                 errors.NetworkError,