Return the <Message> value cert-find failures from the CA

If a cert-find fails on the CA side we get a Message tag containing a string describing the failure plus the java stack trace. Pull out the first part of the message as defined by the first colon and include that in the error message returned to the user. The new message will appear as: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) vs the old generic message: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) This can be reproduced by setting nssizelimit to 100 on the pkidbuser. The internal PKI search returns err=4 but the CA tries to convert all values into certificates and it fails. The value needs to be high enough that the CA can start but low enough that you don't have to create hundreds of certificates to demonstrate the issue. https://pagure.io/freeipa/issue/9369 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-04-28 14:15:14 -04:00
parent abf1dc557e
commit 9e80616401
1 changed files with 15 additions and 1 deletions
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1838,12 +1838,26 @@ class ra(rabase.rabase, RestClient):
            body=payload
        )

+        parser = etree.XMLParser()
        if status != 200:
+            # Try to parse out the returned error. If this fails then
+            # raise the generic certificate operations error.
+            try:
+                doc = etree.fromstring(data, parser)
+                msg = doc.xpath('//PKIException/Message')[0].text
+                msg = msg.split(':', 1)[0]
+            except etree.XMLSyntaxError as e:
+                self.raise_certificate_operation_error('find',
+                                                       detail=status)
+
+            # Message, at least in the case of search failing, consists
+            # of "<message>: <java stack trace>". Use just the first
+            # bit.
            self.raise_certificate_operation_error('find',
+                                                   err_msg=msg,
                                                   detail=status)

        logger.debug('%s.find(): response: %s', type(self).__name__, data)
-        parser = etree.XMLParser()
        try:
            doc = etree.fromstring(data, parser)
        except etree.XMLSyntaxError as e: