Raise an exception if the certificate chain is not returned from the CA

ipalib/errors.py

@@ -965,6 +965,22 @@ class Base64DecodeError(ExecutionError):
     errno = 4015
     format = _('Base64 decoding failed: %(reason)s')
 
+class RemoteRetrieveError(ExecutionError):
+    """
+    **4016** Raised when retrieving data from a remote server fails
+
+    For example:
+
+    >>> raise RemoteRetrieveError(reason="Error: Failed to get certificate chain.")
+    Traceback (most recent call last):
+      ...
+    RemoteRetrieveError: Error: Failed to get certificate chain.
+
+    """
+
+    errno = 4016
+    format = _('%(reason)s')
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).

ipapython/dogtag.py

@@ -17,7 +17,7 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 
-from ipalib import api
+from ipalib import api, errors
 import httplib
 import xml.dom.minidom
 
@@ -31,11 +31,20 @@ def get_ca_certchain():
     res = conn.getresponse()
     if res.status == 200:
         data = res.read()
-
-        doc = xml.dom.minidom.parseString(data)
-        item_node = doc.getElementsByTagName("ChainBase64")
-        chain = item_node[0].childNodes[0].data
-        doc.unlink()
         conn.close()
+        try:
+            doc = xml.dom.minidom.parseString(data)
+            try:
+                item_node = doc.getElementsByTagName("ChainBase64")
+                chain = item_node[0].childNodes[0].data
+            except IndexError:
+                try:
+                    item_node = doc.getElementsByTagName("Error")
+                    reason = item_node[0].childNodes[0].data
+                    raise errors.RemoteRetrieveError(reason=reason)
+                except:
+                    raise errors.RemoteRetrieveError(reason="Retrieving CA cert chain failed")
+        finally:
+            doc.unlink()
 
     return chain