Dne 25.7.2012 16:01, Rob Crittenden napsal(a):
Petr Viktorin wrote:
On 07/23/2012 10:03 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Andrew Wnuk wrote:
On 07/16/2012 01:35 PM, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
Use the new certmonger capability to be able to renew the dogtag
subsystem certificates (audit, OCSP, etc).
Are the copies of the certificates in the pki-ca CS.cfg file being
updated elsewhere? Or is it not turning out to be a problem if they
aren't?
I didn't test validating OCSP signatures but the audit subsystem
seemed fine (it complained wildly when I had the wrong trust in the
NSS db).
Andrew, do I need to update CS.cfg as well?
Yes, you may need update CS.cfg too.
Ok, added a bit to update CS.cfg with the new certificate.
This should fix some SELinux issues preventing certmonger from
monitoring the dogtag certificate database in /var/lib/pki-ca/alias.
rob
I don't know enough about dogtag/certmonger to comment on the
functionality, but there are minor issues I can find. Attaching a patch
to fix them.
`make rpms` fails:
rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
error: %changelog not in descending chronological order
make: *** [rpms] Error 1
`git am` complains:
Applying: Use certmonger to renew CA subsystem certificates
/home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at
EOF.
+
/home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at
EOF.
+
warning: 2 lines add whitespace errors.
Thanks, integrated this patch and added a missing script, renew_ipacert.
rob
NACK
First, a question: I haven't tested this (yet), but what happens when
someone uses the --{dirsrv,http,pkinit}_pkcs12 options of
ipa-server-install/ipa-replica-prepare? (There are also other options
which I suspect may cause trouble, namely --subject and --selfsign.)
install/restart_scripts/renew_ra_cert doesn't seem to be used anywhere.
ipa-replica-install --setup-ca fails with:
...
[13/15]: configure clone certificate renewals
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Nickname "ipaCert" doesn't exist in NSS database "/etc/httpd/alias"
ipareplica-install.log:
...
2012-07-25T11:49:17Z DEBUG args=/usr/bin/certutil -L -d /etc/httpd/alias
-n ipaCert
2012-07-25T11:49:17Z DEBUG stdout=
2012-07-25T11:49:17Z DEBUG stderr=certutil: Could not find cert: ipaCert
: File not found
2012-07-25T11:49:17Z INFO File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 604, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 446, in main
(CA, cs) = cainstance.install_replica_ca(config)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1265, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
554, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 261, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1158, in configure_clone_renewal
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit',
'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias',
'restart_httpd')
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line
364, in dogtag_start_tracking
raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database
"%s"' % (nickname, secdir))
2012-07-25T11:49:17Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Nickname "ipaCert" doesn't exist in NSS
database "/etc/httpd/alias"
(ipa-ca-install doesn't seem to suffer from the above issue.)
On clones, the CN=IPA RA,O=REALM certificate is tracked with post-save
command '/usr/lib64/ipa/certmonger/restart_httpd "ipaCert"', but
restart_httpd does not take any arguments (it does not break anything,
it's just weird).
Comments on individual files follow:
install/certmonger/Makefile.am:
Missing closing parenthesis:
+EXTRA_DIST = \
+ $(app_SCRIPTS \
install/certmonger/dogtag-ipa-retrieve-agent-submit:
Typo ("nicknamd"):
+# We cheat and pass in the nicknamd as the CA profile to execute against.
Are these guaranteed to be upper-case? I'd put operation.upper() here,
just to be on the safe side:
+if operation not in ['SUBMIT', 'POLL']:
+ sys.exit(6) # unsupported operation
This except block is not necessary, unhandled exceptions are caught in
the except block lower in the code:
+ sys.exit(5)
+ except Exception, e:
+ # Unhandled error
+ sys.exit(3)
+ finally:
install/restart_scripts/restart_dirsrv:
You import and initialize api, but then don't use it.
install/restart_scripts/*:
All these scripts could use more exception handling, but I guess
potential bugs can be sorted out later.
install/share/default-aci.ldif:
The ACIs are wrong (Kerberos principal instead of ldap URI in userdn, in
40-delegation.update it is done right).
ipapython/certmonger.py:
This is ugly:
+ if sys.maxsize > 2**32:
+ libpath = 'lib64'
+ else:
+ libpath = 'lib'
Is it safe to show the PIN in "getcert -P <PIN>" in logs? If not, please
add an appropriate nolog argument to ipautil.run.
ipapython/platform/fedora16.py
Can't we pick one name for pki-cad/pki_cad and use only that?
selinux/ipa_dogtag/ipa_dogtag.te:
Please use tabs here instead of spaces:
+ class file read;
+ class file getattr;
+ class file open;
(to be continued)
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel