#4043 SSL error in admin tool not handled well
Closed: Invalid None Opened 8 years ago by rcritten.

This is on RHEL 6.4 with ipa 3.0.0.

Any random command, I'm doing a cert-show here:

# ipa cert-show 1
ipa: ERROR: cert validation failed for "CN=pacer.greyoak.com,O=GREYOAK.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
ipa: ERROR: non-public: AttributeError: KerbTransport instance has no attribute '_conn'
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 519, in forward
    return super(cert_show, self).forward(*keys, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward
    response = command(*xml_wrap(params))
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request
    self.close()
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close
    self._conn.close()
AttributeError: KerbTransport instance has no attribute '_conn'
ipa: ERROR: an internal error has occurred

We've seen this in the past, trying to close a connection that isn't there. There may already be a ticket on it. I opened this since it is such an easy reproducer. Just set the time past when the CA expires.


We think that this already fixed.

Moving stabilization tickets that do not affect FreeIPA 4.0 release usability in any significant way to 4.0.1 stabilization milestone.

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

Works for me on IPA 4 master:

ipa cert-show 1
ipa: ERROR: cert validation failed for "CN=example.com,O=EXAMPLE.REDHAT.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
ipa: ERROR: cannot connect to 'https://example.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.

Won't fix for 3.x

It is a wontfix - no clone.

Metadata Update from @rcritten:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0.2

5 years ago

Login to comment on this ticket.

Metadata