subscription-manager icon indicating copy to clipboard operation
subscription-manager copied to clipboard
verified publisher icon candlepin

[2126981] ENT-5345: improve various error messages

Open ptoscano opened this issue 3 years ago • 0 comments

Some of the messages that subscription-manager prints in certain error situations, mostly related to networking, are generic and unhelpful. This means that the users have little idea of what went wrong, and in certain cases even looking at the log file (rhsm.log) does not provide more clues. Since subscription-manager actually has more details on the failures, let's make it print what it knows about a certain failure.

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2126981 Card ID: ENT-5345

Internal changes

Some internal classes, mostly in rhsm.connection, were extended to carry more details/info. Those new bits are used later on to produce more detailed error messages.

There were changes in the C _certificates extension: in particular, a new exception, CertificateLoadingError, is added for certificate loading failures from OpenSSL.

Please refer to the individual commits for more detailed explanations on the changes.

The changed messages

Network error, unable to connect to server. Please see ...

This represents a number of network related issues.

For any error related to the network name resolution, the proposed error message is:

Network error: <error message> (error code <error code>)

for example:

Network error: Name or service not known (error code -2)

For any error related to the network connection itself, the proposed error message is:

Connection error: <error message> (error code <error code>)

for example:

Connection error: Connection refused (error code 111)

In both cases, the error message/code is as reported by the low level network bits in the Linux stack.

NB: the "old" error message is still (theoretically) in use, and thus not removed. This is because it is mapped to the socket.error exception, which in Python 3.3 became an alias for OSError: since OSError is very broad, it is hard to determine whether the current mappings done by ExceptionMapper cover all the cases handled by ExceptionMapper.

Network error. Please check the connection details, ...

Despite the "network” mention, this represents a reply from the server in case the content cannot be parsed as JSON, and the HTTP error code is different than 200, 202, 204, 304, 401, 403, 404, 410, 429, 500, 502, 503, 504.

In case there is a content in the server reply, the proposed error message is:

Unknown server reply (HTTP error code <error code>: <error message>): <content>

for example:

Unknown server reply (HTTP error code 400: Bad Request): <html> <body> [etc]

In case there is no content in the server reply, the proposed error message is:

Unknown server reply (HTTP error code <error code>: <error message>)

for example:

Unknown server reply (HTTP error code 400: Bad Request)

Proxy connection failed, please check your settings.

This represents errors related to the connection to the proxy server.

For any error related to the network name resolution of the proxy server, the proposed error message is:

Proxy error: proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:

Proxy error: proxy_hostname:proxy_port: Name or service not known (error code -2)

For any error related to the connection to the proxy server, the proposed error message is:

Proxy error: unable to connect to proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:

Proxy error: unable to connect to proxy_hostname:proxy_port: Connection refused (error code 111)

The error message/code is as reported by the low level network bits in the Linux stack.

Unable to reach the server at <host>:<port>/<path>

This error is printed when the initial connection to the entitlement server cannot be established; usually they refer to proxy errors.

For any error related to the connection to the proxy server, the proposed error message is:

Unable to reach the server at hostname:port/path: <error message>

for example:

Unable to reach the server at hostname:port/path: Tunnel connection failed: 500 Unable to connect Unable to reach the server at hostname:port/path: Tunnel connection failed: 407 Proxy Authentication Required

Bad CA certificate: <file>

This error is printed when any of the .pem files in the CA directory of subscription-manager (the default is /etc/rhsm/ca/) is not a valid PEM file with certificates. This generally should not happen, unless a custom faulty certificate is added to that directory.

The proposed error message is:

Bad CA certificate: <file>: <error message>

for example:

Bad CA certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.

System certificates corrupted. Please reregister.

This error is printed when any of the products .pem files in /etc/pki/product-default/ is not a valid PEM file with certificates. This generally should not happen, as the certificates in that directory are provided by Red Hat.

The proposed error message is:

Bad product certificate: <file>: <error message>

for example:

Bad product certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by OpenSSL directly.

NB: since the code involved in this is not used only to load product certificates, there are few more messages related to certificate loading failures.

ptoscano avatar Oct 10 '22 16:10 ptoscano