-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.9.0, CentOS Stream 8
-
None
-
None
-
None
-
rhel-sst-idm-cs
-
ssg_idm
-
None
-
False
-
-
None
-
Red Hat Certificate System
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
Running ipa-healthcheck on a RHEL 8.9 server that is part of an IdM domain that has both RHEL 8 and RHEL 9 servers results in this error:
# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck --output-type=json --debug
[...]
stderr=
Calling check <pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck object at 0x7f8c87e8cf60>
[...]
About to check the subsystem clones
Starting new HTTPS connection (1): ipa3.example.com:443
https://ipa3.example.com:443 "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 431
Cert data successfully obtained from clone.
Starting new HTTPS connection (1): ipa5.example.com:443
https://ipa5.example.com:443 "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 431
Cert data successfully obtained from clone.
Starting new HTTPS connection (1): ipa6.example.com:443
https://ipa6.example.com:443 "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 317
Internal server error 'Link'
[...]
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "f672f185-6251-47e9-a772-8f9796a34986",
"when": "20240312021736Z",
"duration": "0.521790",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: ipa6.example.com Port: 443"
}
}
]
Please provide the package NVR for which bug is seen:
python3-idm-pki-10.14.3-1.module+el8.8.0+18059+6d4394a9.noarch
How reproducible:
Unknown but I suspect this will happen whenever an IdM domain has both RHEL 8 and 9 servers
Steps to reproduce
- Install RHEL 9 and IdM server with CA server role
- Join a RHEL 8 machine to the domain
- Add the RHEL 8 machine to ipaservers host group
- Run ipa-server-install on the RHEL 8 machine
- Install ipa-healthcheck
- Run ipa-healthcheck
Expected results
Health check should not return ClonesConnectivyAndDataCheck result
Actual results
As above
Analysis
I edited ClonesConnectivyAndDataCheck.check_ca_clones to call
logger.exception in its BaseException handler instead of just
logger.error. This logs the traceback of the original exception:
Internal server error 'Link'
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/pki/server/healthcheck/clones/connectivity_and_data.py", line 35, in check_ca_clones
certs = cert_client.list_certs(size=3)
File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 431, in handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/cert.py", line 674, in list_certs
return CertDataInfoCollection.from_json(response.json())
File "/usr/lib/python3.6/site-packages/pki/cert.py", line 179, in from_json
links = json_value['Link']
KeyError: 'Link'
I guess the newer version of Dogtag in RHEL 9 doesn't include this
Link attribute, but pki.cert:CertDataInfoCollection.from_json in RHEL
8 expects it to be present.
Analysis
Fix pki.cert:CertDataInfoCollection.from_json in RHEL 8 to handle the absence of the Link attribute in order to prevent this health check failure.
- duplicates
-
-
- New
-
