ipa/0028-ipa-migrate-properly-handle-invalid-certificates.patch

From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 29 Jul 2024 09:58:30 -0400
Subject: [PATCH] ipa-migrate - properly handle invalid certificates

A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.

Fixes: https://pagure.io/freeipa/issue/9642

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/ipa_migrate.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -761,6 +761,12 @@ class IPAMigrate():
             try:
                 ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
                                      start_tls=True)
+            except ValueError:
+                # Most likely invalid certificate
+                self.handle_error(
+                    "Failed to connect to remote server: "
+                    "CA certificate is invalid"
+                )
             except (
                 ldap.LDAPError,
                 errors.NetworkError,
-- 
2.45.2
ipa-4.12.0-7 - Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them - Resolves: RHEL-52306 Unconditionally add MS-PAC to global config - Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync" - Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure - Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages - Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error' - Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w - Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-08-08 14:12:28 +00:00			`From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001`
			`From: Mark Reynolds <mreynolds@redhat.com>`
			`Date: Mon, 29 Jul 2024 09:58:30 -0400`
			`Subject: [PATCH] ipa-migrate - properly handle invalid certificates`

			`A ValueError is raised when an invalid certificate is used, so the tool`
			`should handle this properly and not produce a stack trace.`

			`Fixes: https://pagure.io/freeipa/issue/9642`

			`Signed-off-by: Mark Reynolds <mreynolds@redhat.com>`
			`Reviewed-By: Rob Crittenden <rcritten@redhat.com>`
			`---`
			`ipaserver/install/ipa_migrate.py \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py`
			`index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644`
			`--- a/ipaserver/install/ipa_migrate.py`
			`+++ b/ipaserver/install/ipa_migrate.py`
			`@@ -761,6 +761,12 @@ class IPAMigrate():`
			`try:`
			`ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,`
			`start_tls=True)`
			`+ except ValueError:`
			`+ # Most likely invalid certificate`
			`+ self.handle_error(`
			`+ "Failed to connect to remote server: "`
			`+ "CA certificate is invalid"`
			`+ )`
			`except (`
			`ldap.LDAPError,`
			`errors.NetworkError,`
			`--`
			`2.45.2`