From b9b268e5ed497400b3525b0eec95e2ae4f039526 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 16 2023 15:34:26 +0000 Subject: Return the value cert-find failures from the CA If a cert-find fails on the CA side we get a Message tag containing a string describing the failure plus the java stack trace. Pull out the first part of the message as defined by the first colon and include that in the error message returned to the user. The new message will appear as: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) vs the old generic message: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) This can be reproduced by setting nssizelimit to 100 on the pkidbuser. The internal PKI search returns err=4 but the CA tries to convert all values into certificates and it fails. The value needs to be high enough that the CA can start but low enough that you don't have to create hundreds of certificates to demonstrate the issue. https://pagure.io/freeipa/issue/9369 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e9189f5..ff4d890 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1838,12 +1838,26 @@ class ra(rabase.rabase, RestClient): body=payload ) + parser = etree.XMLParser() if status != 200: + # Try to parse out the returned error. If this fails then + # raise the generic certificate operations error. + try: + doc = etree.fromstring(data, parser) + msg = doc.xpath('//PKIException/Message')[0].text + msg = msg.split(':', 1)[0] + except etree.XMLSyntaxError as e: + self.raise_certificate_operation_error('find', + detail=status) + + # Message, at least in the case of search failing, consists + # of ": ". Use just the first + # bit. self.raise_certificate_operation_error('find', + err_msg=msg, detail=status) logger.debug('%s.find(): response: %s', type(self).__name__, data) - parser = etree.XMLParser() try: doc = etree.fromstring(data, parser) except etree.XMLSyntaxError as e: