Package: freeipa-server Version: 4.9.7-1 Severity: normal Tags: upstream patch X-Debbugs-Cc: jarl.gullb...@gmail.com
When using "ipa cert-find" or accessing the certificate list via the Web UI, the operation fails with the following error: IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) This issue stems from Dogtag expecting XML output from IPA's REST API, however, IPA now defaults to returning JSON bodies if the format is not explicitly specified. Upstream has fixed this bug, but it has not yet been released. Fedora 35 opted to backport the patch, since it was a minor change with no other effects. The patch is available at https://patch-diff.githubusercontent.com/raw/freeipa/freeipa/pull/6014.patch, and needs to be included in this release of FreeIPA as well. Without it, certificates can't be properly managed by either the command-line tools or the Web UI, and it's likely other operations will fail as well. -- System Information: Debian Release: bookworm/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-3-amd64 (SMP w/4 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages freeipa-server depends on: ii 389-ds-base 1.4.4.17-1 ii acl 2.3.1-1 ii adduser 3.118 ii apache2 2.4.51-2 ii certmonger 0.79.14+git20211010-2 ii chrony 4.1-4 ii fonts-font-awesome 5.0.10+really4.7.0~dfsg-4.1 ii fonts-open-sans 1.11-1.1 ii freeipa-client 4.9.7-1 ii freeipa-common 4.9.7-1 ii gssproxy 0.8.4-2 ii krb5-admin-server 1.18.3-7 ii krb5-kdc 1.18.3-7 ii krb5-kdc-ldap 1.18.3-7 ii krb5-otp 1.18.3-7 ii krb5-pkinit 1.18.3-7 ii ldap-utils 2.4.59+dfsg-1 ii libapache2-mod-auth-gssapi 1.6.3-1 ii libapache2-mod-lookup-identity 1.0.0-1 ii libapache2-mod-wsgi-py3 4.7.1-3+b1 ii libc6 2.32-4 ii libgssapi-krb5-2 1.18.3-7 ii libjs-dojo-core 1.15.4+dfsg1-1 ii libjs-jquery 3.5.1+dfsg+~3.5.5-8 ii libjs-scriptaculous 1.9.0-2.1 ii libk5crypto3 1.18.3-7 ii libkrad0 1.18.3-7 ii libkrb5-3 1.18.3-7 ii libldap-2.4-2 2.4.59+dfsg-1 ii libnss3-tools 2:3.70-1 ii libpopt0 1.18-3 ii libpwquality1 1.4.4-1 ii libsasl2-modules-gssapi-mit 2.1.27+dfsg-2.1 ii libssl1.1 1.1.1l-1 ii libsss-certmap0 2.5.2-4 ii libsss-nss-idmap0 2.5.2-4 ii libtalloc2 2.3.1-2+b1 ii libunistring2 0.9.10-6 ii libuuid1 2.37.2-4 ii libverto1 0.3.1-1 ii libwbclient0 2:4.13.5+dfsg-2 ii oddjob 0.34.6-1 ii p11-kit 0.24.0-5 ii pki-ca 11.0.0-1 ii pki-kra 11.0.0-1 ii python3 3.9.2-3 ii python3-dateutil 2.8.1-6 ii python3-gssapi 1.6.12-1 ii python3-ipaserver 4.9.7-1 ii python3-ldap 3.2.0-4+b3 ii python3-systemd 234-3+b4 ii samba-libs 2:4.13.5+dfsg-2 ii slapi-nis 0.56.7-1 ii ssl-cert 1.1.0+nmu1 ii sssd-dbus 2.5.2-4 ii systemd-sysv 249.5-1 Versions of packages freeipa-server recommends: ii freeipa-server-dns 4.9.7-1 freeipa-server suggests no packages. -- Configuration Files: /etc/default/ipa-dnskeysyncd changed: SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf -- no debconf information
>From 46f6c8df3dba0c5bd15e93c8249f3464799e7596 Mon Sep 17 00:00:00 2001 From: Chris Kelley <ckel...@redhat.com> Date: Fri, 10 Sep 2021 16:47:22 +0100 Subject: [PATCH] Make Dogtag return XML for ipa cert-find Using JSON by default within Dogtag appears to cause ipa cert-find to return JSON, when the request was made with XML. We can request that XML is returned as before by specifying so in the request header. Fixes: https://pagure.io/freeipa/issue/8980 Signed-off-by: Chris Kelley <ckel...@redhat.com> --- ipaserver/plugins/dogtag.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index be2e4bb4e2a..b4feddfac19 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1832,7 +1832,8 @@ def convert_time(value): method='POST', headers={'Accept-Encoding': 'gzip, deflate', 'User-Agent': 'IPA', - 'Content-Type': 'application/xml'}, + 'Content-Type': 'application/xml', + 'Accept': 'application/xml'}, body=payload )
