#9642 ipa-migrate - properly handle invalid certificates
Closed: fixed 6 months ago by rcritten. Opened 6 months ago by mreynolds.

Issue

ipa-migrate crashes with invalid certificate. It should handle it gracefully

# cat cert.crt 
----BEGIN CERTIFICATE----
MIIFazCCDQYJKoZIhvcNAQELBQAw
----END CERTIFICATE----

# ipa-migrate stage-mode master.rhel95.test -D 'cn=Directory Manager' -w Secret123 -x -n -Z cert.crt
Initializing ...
Connecting to local server ...
IPA to IPA migration starting ...
Traceback (most recent call last):
  File "/usr/sbin/ipa-migrate", line 10, in <module>
    ipa_migrate.run()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_migrate.py", line 2065, in run
    self.do_migration()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_migrate.py", line 1891, in do_migration
    self.connect_to_remote_ds()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_migrate.py", line 762, in connect_to_remote_ds
    ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 811, in _init_
    self._conn = self._connect()
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1224, in _connect
    conn = ldap_initialize(self.ldap_uri, cacertfile=self._cacert)
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 138, in ldap_initialize
    conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 698, in set_option
    return self._ldap_call(self._l.set_option,option,invalue)
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
    result = func(args,*kwargs)
ValueError: option error

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7465
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-50805, https://issues.redhat.com/browse/RHEL-50804

6 months ago

master:

  • 4d075fd ipa-migrate - properly handle invalid certificates

ipa-4-12:

  • 0e4fbc3 ipa-migrate - properly handle invalid certificates

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

master:

  • e818993 ipatests: ipa-migrate tool with -Z option (CACERTFILE)

ipa-4-12:

  • 8046023 ipatests: ipa-migrate tool with -Z option (CACERTFILE)

Log in to comment on this ticket.

Metadata