Your message dated Wed, 17 Nov 2021 14:35:01 +0000
with message-id <[email protected]>
and subject line Bug#997952: fixed in freeipa 4.9.7-2
has caused the Debian Bug report #997952,
regarding freeipa-server: IPA certificate API defaults to JSON when XML is 
expected
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
997952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: freeipa-server
Version: 4.9.7-1
Severity: normal
Tags: upstream patch
X-Debbugs-Cc: [email protected]

When using "ipa cert-find" or accessing the certificate list via the Web UI,
the operation fails with the following error:

  IPA Error 4301: CertificateOperationError
  Certificate operation cannot be completed: Unable to communicate with CMS
  (Start tag expected, '<' not found, line 1, column 1)

This issue stems from Dogtag expecting XML output from IPA's REST API, however,
IPA now defaults to returning JSON bodies if the format is not explicitly 
specified.

Upstream has fixed this bug, but it has not yet been released. Fedora 35 opted
to backport the patch, since it was a minor change with no other effects.

The patch is available at 
https://patch-diff.githubusercontent.com/raw/freeipa/freeipa/pull/6014.patch, 
and needs
to be included in this release of FreeIPA as well. Without it, certificates 
can't
be properly managed by either the command-line tools or the Web UI, and it's 
likely
other operations will fail as well.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeipa-server depends on:
ii  389-ds-base                     1.4.4.17-1
ii  acl                             2.3.1-1
ii  adduser                         3.118
ii  apache2                         2.4.51-2
ii  certmonger                      0.79.14+git20211010-2
ii  chrony                          4.1-4
ii  fonts-font-awesome              5.0.10+really4.7.0~dfsg-4.1
ii  fonts-open-sans                 1.11-1.1
ii  freeipa-client                  4.9.7-1
ii  freeipa-common                  4.9.7-1
ii  gssproxy                        0.8.4-2
ii  krb5-admin-server               1.18.3-7
ii  krb5-kdc                        1.18.3-7
ii  krb5-kdc-ldap                   1.18.3-7
ii  krb5-otp                        1.18.3-7
ii  krb5-pkinit                     1.18.3-7
ii  ldap-utils                      2.4.59+dfsg-1
ii  libapache2-mod-auth-gssapi      1.6.3-1
ii  libapache2-mod-lookup-identity  1.0.0-1
ii  libapache2-mod-wsgi-py3         4.7.1-3+b1
ii  libc6                           2.32-4
ii  libgssapi-krb5-2                1.18.3-7
ii  libjs-dojo-core                 1.15.4+dfsg1-1
ii  libjs-jquery                    3.5.1+dfsg+~3.5.5-8
ii  libjs-scriptaculous             1.9.0-2.1
ii  libk5crypto3                    1.18.3-7
ii  libkrad0                        1.18.3-7
ii  libkrb5-3                       1.18.3-7
ii  libldap-2.4-2                   2.4.59+dfsg-1
ii  libnss3-tools                   2:3.70-1
ii  libpopt0                        1.18-3
ii  libpwquality1                   1.4.4-1
ii  libsasl2-modules-gssapi-mit     2.1.27+dfsg-2.1
ii  libssl1.1                       1.1.1l-1
ii  libsss-certmap0                 2.5.2-4
ii  libsss-nss-idmap0               2.5.2-4
ii  libtalloc2                      2.3.1-2+b1
ii  libunistring2                   0.9.10-6
ii  libuuid1                        2.37.2-4
ii  libverto1                       0.3.1-1
ii  libwbclient0                    2:4.13.5+dfsg-2
ii  oddjob                          0.34.6-1
ii  p11-kit                         0.24.0-5
ii  pki-ca                          11.0.0-1
ii  pki-kra                         11.0.0-1
ii  python3                         3.9.2-3
ii  python3-dateutil                2.8.1-6
ii  python3-gssapi                  1.6.12-1
ii  python3-ipaserver               4.9.7-1
ii  python3-ldap                    3.2.0-4+b3
ii  python3-systemd                 234-3+b4
ii  samba-libs                      2:4.13.5+dfsg-2
ii  slapi-nis                       0.56.7-1
ii  ssl-cert                        1.1.0+nmu1
ii  sssd-dbus                       2.5.2-4
ii  systemd-sysv                    249.5-1

Versions of packages freeipa-server recommends:
ii  freeipa-server-dns  4.9.7-1

freeipa-server suggests no packages.

-- Configuration Files:
/etc/default/ipa-dnskeysyncd changed:
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf


-- no debconf information
>From 46f6c8df3dba0c5bd15e93c8249f3464799e7596 Mon Sep 17 00:00:00 2001
From: Chris Kelley <[email protected]>
Date: Fri, 10 Sep 2021 16:47:22 +0100
Subject: [PATCH] Make Dogtag return XML for ipa cert-find

Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.

Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <[email protected]>
---
 ipaserver/plugins/dogtag.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index be2e4bb4e2a..b4feddfac19 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1832,7 +1832,8 @@ def convert_time(value):
             method='POST',
             headers={'Accept-Encoding': 'gzip, deflate',
                      'User-Agent': 'IPA',
-                     'Content-Type': 'application/xml'},
+                     'Content-Type': 'application/xml',
+                     'Accept': 'application/xml'},
             body=payload
         )
 

--- End Message ---
--- Begin Message ---
Source: freeipa
Source-Version: 4.9.7-2
Done: Timo Aaltonen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
freeipa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated freeipa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 17 Nov 2021 15:40:55 +0200
Source: freeipa
Built-For-Profiles: noudeb
Architecture: source
Version: 4.9.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 997952
Changes:
 freeipa (4.9.7-2) unstable; urgency=medium
 .
   * lintian: Drop override on python-script-but-no-python-dep, which doesn't 
exist anymore.
   * rules: Add fortify flag to CFLAGS, as CPPFLAGS isn't used by the project.
   * ci: Drop allowed failure for blhc, it passes now.
   * control: Build-depend on libcurl4-openssl-dev.
   * fix-paths.diff: Fix some paths in ipaplatform/base.
   * fix-apache-group.diff: Fix apache group name in ipa.conf tmpfile.
   * control: Depend on gpg instead of gnupg.
   * control: Drop libwbclient-sssd from freeipa-client-samba Depends.
   * patches: Import a patch to fix ipa cert-find. (Closes: #997952)
Checksums-Sha1:
 dc458c91b7f390d74be38f36218c217bbffe3d12 3909 freeipa_4.9.7-2.dsc
 04882d04e62a782a8890a564366b9ea4a0a4ff6d 281764 freeipa_4.9.7-2.debian.tar.xz
 126134badedb533c1d83b61592293494f4381beb 9441 freeipa_4.9.7-2_source.buildinfo
Checksums-Sha256:
 c379596dc3ab0b2f8716788c62ecd19bc81ef83dea204ef3cf1167d3c3246a4b 3909 
freeipa_4.9.7-2.dsc
 9bd864a950b83e3a18113c35b778a4a368f60e5852ea59cdd0db3a095d4b9558 281764 
freeipa_4.9.7-2.debian.tar.xz
 001aaece054ed2d835e0c9731711ff0f4022ce114066faad30d39781f23a0b6a 9441 
freeipa_4.9.7-2_source.buildinfo
Files:
 8faebeec9e74ba5a49e415361f789c78 3909 net optional freeipa_4.9.7-2.dsc
 e656ada57d31867964b8b545fe2d94d2 281764 net optional 
freeipa_4.9.7-2.debian.tar.xz
 e7daac3a2f44f429243a9923b254f455 9441 net optional 
freeipa_4.9.7-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmGVBqIACgkQy3AxZaiJ
hNytQBAAiHLB1i3KRru4X/tDSIgwp2ZLanyvOixQ2wEA2Q+htWs7z6Yqj+9tneNL
JvJHEILcMmPgW+6ukzdUr8Y8Ntuf8u1tVA0SDotItS9HmxeuGsGZovVr8wcqSnjN
KugifWaxoeVPAQoKErti69xFFvErH6J1gO8p3lVV3YWNhUSqlV0pRTWsXZJ25SSA
U0LwfBsmfNdZ9CLMw41ZW7Xe534GVClKRxTlTS0pRo4Be4dXWAnvjd8ATr9+L8zC
S/CNoJsWd/rac6gr6y7IMnSjrxIj4HdS8lfrwQQKK/oL21HV5WrCmM8oWe4CFf4F
pDcDgnjedAlgxHw8r/WJI6ohPMFAaACuW6CXwDoXiSKJHLdy2QwfPdC9b+5ArxLh
duxPniZXLB6zq/CTo8UbkXWHWOqOoNAJHAfLm9dB6OerEfzOKsDO7Sj4o6J9taHV
Z7MF+mAiurMdtrrcrNkL0jFgEqIsJEdrVqmlxjlOeCcIo2pblEqNlSeXf/VmEyMk
vfSgCwJKqcyuFScSCr9/xIX0XSwRiuVR83z7dthIATF18dv4NmbhwBDE/HhTptpp
nzrEwL0ViYSrA2qbXJtoYfeZ6mLmZd50uztX5USehb73C1E8sn8rJEp3ZJouF3Mm
+8ofbhYVSQ7CVF4eX83pleUU+XkRdux0Qti5IeUN3ZCSA6r063A=
=6G9b
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to