[Pkg-freeipa-devel] Bug#997952: freeipa-server: IPA certificate API defaults to JSON when XML is expected

Jarl Gullberg jarl.gullberg at gmail.com
Wed Oct 27 16:33:04 BST 2021 

Package: freeipa-server
Version: 4.9.7-1
Severity: normal
Tags: upstream patch
X-Debbugs-Cc: jarl.gullberg at gmail.com

When using "ipa cert-find" or accessing the certificate list via the Web UI,
the operation fails with the following error:

  IPA Error 4301: CertificateOperationError
  Certificate operation cannot be completed: Unable to communicate with CMS
  (Start tag expected, '<' not found, line 1, column 1)

This issue stems from Dogtag expecting XML output from IPA's REST API, however,
IPA now defaults to returning JSON bodies if the format is not explicitly 
specified.

Upstream has fixed this bug, but it has not yet been released. Fedora 35 opted
to backport the patch, since it was a minor change with no other effects.

The patch is available at 
https://patch-diff.githubusercontent.com/raw/freeipa/freeipa/pull/6014.patch, and needs
to be included in this release of FreeIPA as well. Without it, certificates can't
be properly managed by either the command-line tools or the Web UI, and it's likely
other operations will fail as well.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeipa-server depends on:
ii  389-ds-base                     1.4.4.17-1
ii  acl                             2.3.1-1
ii  adduser                         3.118
ii  apache2                         2.4.51-2
ii  certmonger                      0.79.14+git20211010-2
ii  chrony                          4.1-4
ii  fonts-font-awesome              5.0.10+really4.7.0~dfsg-4.1
ii  fonts-open-sans                 1.11-1.1
ii  freeipa-client                  4.9.7-1
ii  freeipa-common                  4.9.7-1
ii  gssproxy                        0.8.4-2
ii  krb5-admin-server               1.18.3-7
ii  krb5-kdc                        1.18.3-7
ii  krb5-kdc-ldap                   1.18.3-7
ii  krb5-otp                        1.18.3-7
ii  krb5-pkinit                     1.18.3-7
ii  ldap-utils                      2.4.59+dfsg-1
ii  libapache2-mod-auth-gssapi      1.6.3-1
ii  libapache2-mod-lookup-identity  1.0.0-1
ii  libapache2-mod-wsgi-py3         4.7.1-3+b1
ii  libc6                           2.32-4
ii  libgssapi-krb5-2                1.18.3-7
ii  libjs-dojo-core                 1.15.4+dfsg1-1
ii  libjs-jquery                    3.5.1+dfsg+~3.5.5-8
ii  libjs-scriptaculous             1.9.0-2.1
ii  libk5crypto3                    1.18.3-7
ii  libkrad0                        1.18.3-7
ii  libkrb5-3                       1.18.3-7
ii  libldap-2.4-2                   2.4.59+dfsg-1
ii  libnss3-tools                   2:3.70-1
ii  libpopt0                        1.18-3
ii  libpwquality1                   1.4.4-1
ii  libsasl2-modules-gssapi-mit     2.1.27+dfsg-2.1
ii  libssl1.1                       1.1.1l-1
ii  libsss-certmap0                 2.5.2-4
ii  libsss-nss-idmap0               2.5.2-4
ii  libtalloc2                      2.3.1-2+b1
ii  libunistring2                   0.9.10-6
ii  libuuid1                        2.37.2-4
ii  libverto1                       0.3.1-1
ii  libwbclient0                    2:4.13.5+dfsg-2
ii  oddjob                          0.34.6-1
ii  p11-kit                         0.24.0-5
ii  pki-ca                          11.0.0-1
ii  pki-kra                         11.0.0-1
ii  python3                         3.9.2-3
ii  python3-dateutil                2.8.1-6
ii  python3-gssapi                  1.6.12-1
ii  python3-ipaserver               4.9.7-1
ii  python3-ldap                    3.2.0-4+b3
ii  python3-systemd                 234-3+b4
ii  samba-libs                      2:4.13.5+dfsg-2
ii  slapi-nis                       0.56.7-1
ii  ssl-cert                        1.1.0+nmu1
ii  sssd-dbus                       2.5.2-4
ii  systemd-sysv                    249.5-1

Versions of packages freeipa-server recommends:
ii  freeipa-server-dns  4.9.7-1

freeipa-server suggests no packages.

-- Configuration Files:
/etc/default/ipa-dnskeysyncd changed:
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf


-- no debconf information
-------------- next part --------------
>From 46f6c8df3dba0c5bd15e93c8249f3464799e7596 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley at redhat.com>
Date: Fri, 10 Sep 2021 16:47:22 +0100
Subject: [PATCH] Make Dogtag return XML for ipa cert-find

Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.

Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley at redhat.com>
---
 ipaserver/plugins/dogtag.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index be2e4bb4e2a..b4feddfac19 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1832,7 +1832,8 @@ def convert_time(value):
             method='POST',
             headers={'Accept-Encoding': 'gzip, deflate',
                      'User-Agent': 'IPA',
-                     'Content-Type': 'application/xml'},
+                     'Content-Type': 'application/xml',
+                     'Accept': 'application/xml'},
             body=payload
         )

More information about the Pkg-freeipa-devel mailing list