freeipa

Clone
Source Code
GIT

#3549 cert-find command does not work on upgraded IPA CAs
Closed: Fixed None Opened 11 years ago by mkosek.

Closed: Fixed
Reopen Issue

ipa cert-find command and the respective Certificates page in Web UI does not work if the IPA CA server was upgraded from Dogtag 9 solution to Dogtag 10 solution. This can happen for example when IPA on Fedora 17 is upgraded to Fedora 18:

# ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

It seems that the pki-ca instance upgraded from version 9 to 10 does not have the REST API interface even when I target it to the right port which is different from pure Dogtag 10 :

# pki cert-find
RuntimeException: org.apache.http.conn.HttpHostConnectException: Connection to http://localhost:8080 refused
# pki -h `hostname` -p 9180 -v cert-find
Command: cert-find
Server URI: http://vm-022.idm.lab.bos.redhat.com:9180/ca
HTTP request: POST /ca/rest/certs/search HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Content-Length: 593
  Content-Type: application/xml
  Host: vm-022.idm.lab.bos.redhat.com:9180
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
  Server: Apache-Coyote/1.1
  Content-Type: text/html
  Content-Length: 5723
  Date: Thu, 04 Apr 2013 07:26:31 GMT
org.jboss.resteasy.client.ClientResponseFailure: Error status 404 Not Found returned
    at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523)
    at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514)
    at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508)
    at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:38)
    at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:120)
    at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88)
    at sun.proxy.$Proxy26.searchCerts(Unknown Source)
    at com.netscape.certsrv.cert.CertClient.findCerts(CertClient.java:60)
    at com.netscape.cmstools.cert.CertFindCLI.execute(CertFindCLI.java:118)
    at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:96)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:307)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:330)

We should probably either provide a better error message or check if the instance can be upgraded to Dogtag 10 instance with the REST API (vakwetu may know more).

This report was originally reported by amessina on #freeipa channel.

This was filed against dogtag as https://fedorahosted.org/pki/ticket/578

Plan for dogtag is to not support this. It would require a lot of invasive changes, backporting servlets, etc.

What it will do is return a 501 which we will need to catch. We will need to say that cert-find does not work against a d9 server.

The upgrade script in pki-ca-10.0.2-1 is broken. It is missing some imports so fails. The dogtag team is spinning up a new version.

The jist is:

NameError: global name 'BASE_DIR' is not defined

Fixed for me in pki-core-10.0.2-2

master: 6e2c3a4

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.