Dne 25.7.2012 22:58, Rob Crittenden napsal(a):
Jan Cholasta wrote:
Dne 25.7.2012 16:01, Rob Crittenden napsal(a):
Petr Viktorin wrote:
On 07/23/2012 10:03 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Andrew Wnuk wrote:
On 07/16/2012 01:35 PM, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
Use the new certmonger capability to be able to renew the dogtag
subsystem certificates (audit, OCSP, etc).
Are the copies of the certificates in the pki-ca CS.cfg file being
updated elsewhere? Or is it not turning out to be a problem if
they
aren't?
I didn't test validating OCSP signatures but the audit subsystem
seemed fine (it complained wildly when I had the wrong trust in the
NSS db).
Andrew, do I need to update CS.cfg as well?
Yes, you may need update CS.cfg too.
Ok, added a bit to update CS.cfg with the new certificate.
This should fix some SELinux issues preventing certmonger from
monitoring the dogtag certificate database in /var/lib/pki-ca/alias.
rob
I don't know enough about dogtag/certmonger to comment on the
functionality, but there are minor issues I can find. Attaching a patch
to fix them.
`make rpms` fails:
rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
error: %changelog not in descending chronological order
make: *** [rpms] Error 1
`git am` complains:
Applying: Use certmonger to renew CA subsystem certificates
/home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at
EOF.
+
/home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at
EOF.
+
warning: 2 lines add whitespace errors.
Thanks, integrated this patch and added a missing script, renew_ipacert.
rob
NACK
First, a question: I haven't tested this (yet), but what happens when
someone uses the --{dirsrv,http,pkinit}_pkcs12 options of
ipa-server-install/ipa-replica-prepare? (There are also other options
which I suspect may cause trouble, namely --subject and --selfsign.)
CA certs aren't tracked if --selfsign is used.
subject doesn't matter, it is unrelated to renewal.
The provided PKCS#12 files are unrelated to this patch, but in general
we will still attempt to renew the dirsrv and http certs. We
automatically track all certs using the IPA CA. If they were not issued
by the IPA CA then they will fail to be renewed.
OK, thanks.
I'm thinking we need to deprecate ipa-server-certs and document that
using the PKCS#12 options is unsupported.
install/restart_scripts/renew_ra_cert doesn't seem to be used anywhere.
This replaces the ipaCert script. I fixed up the invocation.
ipa-replica-install --setup-ca fails with:
...
[13/15]: configure clone certificate renewals
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Nickname "ipaCert" doesn't exist in NSS database "/etc/httpd/alias"
Fixed.
On clones, the CN=IPA RA,O=REALM certificate is tracked with post-save
command '/usr/lib64/ipa/certmonger/restart_httpd "ipaCert"', but
restart_httpd does not take any arguments (it does not break anything,
it's just weird).
That's true, suppressed.
Comments on individual files follow:
install/certmonger/Makefile.am:
Missing closing parenthesis:
+EXTRA_DIST = \
+ $(app_SCRIPTS \
Fixed, and replaced some spaces with tabs.
install/certmonger/dogtag-ipa-retrieve-agent-submit:
Typo ("nicknamd"):
Fixed.
Are these guaranteed to be upper-case? I'd put operation.upper() here,
just to be on the safe side:
Yes, guaranteed to be upper-case from certmonger.
This except block is not necessary, unhandled exceptions are caught in
the except block lower in the code:
+ sys.exit(5)
+ except Exception, e:
+ # Unhandled error
+ sys.exit(3)
+ finally:
Sure, removed. I had it there for readability but it is such little code
it can still be followed.
install/restart_scripts/restart_dirsrv:
You import and initialize api, but then don't use it.
Ah, I did at one point, then ripped it all out (or almost all,
apparently). Gone.
install/restart_scripts/*:
All these scripts could use more exception handling, but I guess
potential bugs can be sorted out later.
Well, they all run in the background so even if they caught errors
nothing would see them unless we decide to syslog errors.
install/share/default-aci.ldif:
The ACIs are wrong (Kerberos principal instead of ldap URI in userdn, in
40-delegation.update it is done right).
Nice catch, not sure how I missed that. Fixed.
You forgot to fix the allow(add) one, it still has userdn =
"host/$FQDN@$REALM".
ipapython/certmonger.py:
This is ugly:
+ if sys.maxsize > 2**32:
+ libpath = 'lib64'
+ else:
+ libpath = 'lib'
I'm open to suggestions, it's the best thing I could find.
OK, it is mentioned in <http://docs.python.org/library/platform.html>,
so it is probably safe.
However, I think that in future it might be nice to have a config.py
file (perhaps autoconf generated?) with system paths as constants.
Is it safe to show the PIN in "getcert -P <PIN>" in logs? If not, please
add an appropriate nolog argument to ipautil.run.
Probably best to be safe, suppressed.
ipapython/platform/fedora16.py
Can't we pick one name for pki-cad/pki_cad and use only that?
I added it so we could do calls like:
ipaservices.knownservices.pki_cad.restart(instance). No dashes allowed
in Python names.
The actual service name is pki-cad, so my intention was to make it an
alias.
OK, makes sense.
selinux/ipa_dogtag/ipa_dogtag.te:
Please use tabs here instead of spaces:
+ class file read;
+ class file getattr;
+ class file open;
Sure, fixed.
rob
I did:
1. ipa-server-install on host1, using IPA from master
2. ipa-replica-install on host2, using IPA from master
3. update host1 to IPA with your patch applied
4. update host2 to IPA with your patch applied
5. ipa-ca-install on host2
After that, ipaCert is not tracked on host2 at all (I had to add it
manually using "getcert start-tracking -d /etc/httpd/alias -n ipaCert -c
dogtag-ipa-retrieve-agent-submit -C
/usr/lib64/ipa/certmonger/restart_httpd -p /etc/httpd/alias/pwdfile.txt
-T ipaCert").
(to be continued)
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
