Description of problem:

pkispawn precheck log events for invalid pki_ds_secure_connection_ca_pem_file path

pkispawn precheck log improvment for LDAPS test with pki_ds_secure_connection_ca_pem_file path

a pkispawn precheck command fails as expected if the configuration has pki_ds_secure_connection_ca_pem_file point to a non existing file, which is fine, but the error messages to not provide a hint on the actual error.

for example , a pkispawn configuration file has a typo to the LDAP self signed cert file path:
pki_ds_secure_connection_ca_pem_file=/etc/dirsrv/slapd-ca1/ca.cert.sometypo

but the pkispawn verbose output does not mention anything about pki_ds_secure_connection_ca_pem_file pointing to an incorrect path, but tries to go for a non existing path as the PKI instance does not yet exist:
/var/lib/pki/rhcs10-RSA-RootCA/conf/external_certs.conf

test:

the default RHDS self signed LDAP cert was added to the system's trust store:

trust anchor /etc/dirsrv/slapd-ca1/ca.crt
trust list | grep 389ds
label: ssca.389ds.example.com

so a LDAPS test works fine using LDAP search:

ldapsearch -d 4 -o ldif-wrap=no -LLLxH ldaps://`hostname -f`:636 -D "cn=directory manager" -y ${somepwdfile} -s base -b "" vendorversion
ldap_build_search_req ATTRS: vendorversion
dn:
vendorversion: 389-Directory/1.4.3.39 B2025.086.1550

[root@test-vm23 ~]#

a pkispawn precheck command fails as expected if the configuration has pki_ds_secure_connection_ca_pem_file point to a non existing file:

pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/etc/dirsrv/slapd-ca1/ca.cert.sometypo
pki_ds_secure_connection_ca_nickname=DS temp CA certificate

I am not even sure why a pki_ds_secure_connection_ca_pem_file is needed if that issuer certificate is already trusted by the system's trust store.

pkispawn -s CA -v -f ${somepkispawnconfigfile} --precheck
...
Loading deployment configuration from ./config.pki.rhcs10-RSA-RootCA.rsa.1.step.txt.
WARNING: The 'pki_ds_hostname' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldap_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldaps_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_secure_connection' in [CA] has been deprecated. Use 'pki_ds_url' instead.
INFO: Loading instance type: pki-tomcatd
INFO: Loading instance: rhcs10-RSA-RootCA
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading external certs from /var/lib/pki/rhcs10-RSA-RootCA/conf/external_certs.conf
INFO: File does not exist: /var/lib/pki/rhcs10-RSA-RootCA/conf/external_certs.conf
INFO: Connecting to LDAP server at ldaps://test-vm23.testrealm.test:636
ERROR: Unable to access LDAP server: ldaps://test-vm23.testrealm.test:636
Traceback (most recent call last):
File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 1039, in <module>
main(sys.argv)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 585, in main
check_ds()
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 751, in check_ds
verify_ds_configuration()
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 58, in verify_ds_configuration
deployer.ds_bind()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/init.py", line 2691, in ds_bind
self.mdict['pki_ds_password'])
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 454, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 448, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise
raise exc_value
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call
result = func(args,*kwargs)
ldap.SERVER_DOWN:

{'result': -1, 'desc': "Can't contact LDAP server", 'errno': 2, 'ctrls': [], 'info': 'No such file or directory'}

[root@test-vm23 ~]#

LDAP access log with a working LDAPS connection from ldapsearch:

[root@test-vm23 ~]# tail /var/log/dirsrv/slapd-ca1/access
[07/May/2025:21:34:55.833978846 -0400] conn=7 fd=64 slot=64 SSL connection from fe80::f816:3eff:fe86:3049%eth0 to fe80::f816:3eff:fe86:3049%eth0
[07/May/2025:21:34:55.851128615 -0400] conn=7 TLS1.3 128-bit AES-GCM
[07/May/2025:21:34:55.851195370 -0400] conn=7 op=0 BIND dn="cn=directory manager" method=128 version=3
[07/May/2025:21:34:55.851307410 -0400] conn=7 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.012467396 optime=0.000133550 etime=0.012599083 dn="cn=directory manager"
[07/May/2025:21:34:55.851487548 -0400] conn=7 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorVersion"
[07/May/2025:21:34:55.851976445 -0400] conn=7 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000113223 optime=0.000496391 etime=0.000608932
[07/May/2025:21:34:55.852084458 -0400] conn=7 op=2 UNBIND
[07/May/2025:21:34:55.852091461 -0400] conn=7 op=2 fd=64 closed error - U1

and a non working/failed one from pkispawn:

[07/May/2025:21:35:14.827012363 -0400] conn=8 fd=64 slot=64 SSL connection from fe80::f816:3eff:fe86:3049%eth0 to fe80::f816:3eff:fe86:3049%eth0
[07/May/2025:21:35:14.828860811 -0400] conn=8 op=-1 fd=64 closed error - Encountered end of file.
[root@test-vm23 ~]#

and pkispawn precheck PASS ok if pki_ds_secure_connection_ca_pem_file exist:

pkispawn -s CA -v -f ${somepkispawnconfigfile} --precheck
Loading deployment configuration from ./config.pki.rhcs10-RSA-RootCA.rsa.1.step.txt.
WARNING: The 'pki_ds_hostname' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldap_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldaps_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_secure_connection' in [CA] has been deprecated. Use 'pki_ds_url' instead.
INFO: Loading instance type: pki-tomcatd
INFO: Loading instance: rhcs10-RSA-RootCA
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading external certs from /var/lib/pki/rhcs10-RSA-RootCA/conf/external_certs.conf
INFO: File does not exist: /var/lib/pki/rhcs10-RSA-RootCA/conf/external_certs.conf
INFO: Connecting to LDAP server at ldaps://test-vm23.testrealm.test:636
INFO: Connecting to LDAP server at ldaps://test-vm23.testrealm.test:636
pre-checks completed successfully.
[root@test-vm23 ~]#
Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info: