#9369 Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError
Closed: fixed a year ago by rcritten. Opened a year ago by rcritten.


cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2164348

When a user is doing ipa cert-find, the operation triggers a search in PKI (through an HTTP POST ca/rest/certs/search?size=2147483647). PKI performs a LDAP search with VLV that can return err=4 (sizelimit exceeded) but does not properly handle this case.

When LDAP returns err=4, PKI tries to decode the result as a LDAPEntry even though it received a netscape.ldap.LDAPException. This triggers the following error in ca/debug logs:
2023-02-02 11:34:30 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:482)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:617)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:609)
at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:763)
at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:142)
at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:503)

The data returned to the POST operation (=received by IPA) is then the following:
status, _, data = dogtag.https_request(...)

status = 500
data = b'<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PKIException><Attributes/><ClassName>com.netscape.certsrv.base.PKIException</ClassName>500<Message>Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry</Message></PKIException>'

IPA checks the status and if != 200 raises an Exception with the information from the status only:
if status != 200:

IPA could parse the output from the data field and include this information in the exception, and call instead self.raise_certificate_operation_error('find',err_msg=<to be filled>, detail=status).
The err_msg would then be logged instead of "Unable to communicate with CMS" which is not specific enough.

But IMO PKI should fix the Exception on its side and return a clean error message, that could be easily understood by the user.

Steps to Reproduce

  1. ldapmodify -D cn=directory\ manager -w Secret123
    dn: uid=pkidbuser,ou=people,o=ipaca
    changetype: modify
    add: nssizelimit
    nssizelimit: 100
  2. ipactl restart (restart pki is needed to re-establish a new connection between pki and 389ds and take into account the new sizelimit for uid=pkidbuser)
  3. ipa cert-find (if there are < 100 certificates, should succeed)

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2164348

a year ago

It isn't practical to write an integration test for this because we'd have to create 90-ish certificates just for this one test.

The nssizelimit value is used for all searches in PKI. Startup will fail if it is set below 100 because it needs to load all the certificate profiles (for one).

We certainly could automate this using certmonger to just re-create the same cert over and over it just seems like overkill to validate a message.


  • 9e80616 Return the <Message> value cert-find failures from the CA


  • b9b268e Return the <Message> value cert-find failures from the CA


  • 81a6b9a Return the <Message> value cert-find failures from the CA

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.