[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN HonzaCholasta commented: """ @frasertweedale, I'm not aware of any agreement and I'm against this as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300375495 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#769][synchronized] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769 Author: Rezney Title: #769: test_caless: add pkinit option and test it Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/769/head:pr769 git checkout pr769 From 1c517ee628fb31f765e21149fcaa3d26fd07d0fa Mon Sep 17 00:00:00 2001 From: Michal ReznikDate: Tue, 9 May 2017 16:39:45 +0200 Subject: [PATCH] test_caless: add pkinit option and test it change "caless-create-pki" so pkinit certificates can be generated. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. add pkinit option to the ipa installer and test both master and replica install with pkinit. Signed-off-by: Michal Reznik --- .../test_integration/scripts/caless-create-pki | 112 - ipatests/test_integration/test_caless.py | 76 -- 2 files changed, 151 insertions(+), 37 deletions(-) diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki index 8928e95..816e7dc 100644 --- a/ipatests/test_integration/scripts/caless-create-pki +++ b/ipatests/test_integration/scripts/caless-create-pki @@ -1,14 +1,29 @@ #!/bin/bash -e -profile_ca=(-t CT,C,C -v 120) -profile_server=(-t ,, -v 12) - -crl_path=${crl_path-$(readlink -f $dbdir)} - -serial_number=0 +profile_ca_request_options=(-1 -2 -4) +profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_ca_create_options=(-v 120) +profile_ca_add_options=(-t CT,C,C) +profile_server_request_options=(-4) +profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_server_create_options=(-v 12) +profile_server_add_options=(-t ,,) + +write_chain() { +local nick="$1" + +chain=`certutil -O -d $dbdir -n "$nick" | + sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"` + +while read -r name; do +# OpenSSL requires a reverse order to what we get from NSS +echo -e "`certutil -L -d "$dbdir" -n "$name" -a`\n`cat $dbdir/$nick.pem` +" > "$dbdir/$nick.pem" +done <<< "$chain" +} gen_cert() { -local profile="$1" nick="$2" subject="$3" ca options pwfile noise csr crt +local profile="$1" nick="$2" subject="$3" ca request_options request_input create_options serial add_options pwfile noise csr crt shift 3 echo "gen_cert(profile=$profile nick=$nick subject=$subject)" @@ -18,13 +33,20 @@ gen_cert() { ca="$nick" fi -eval "options=(\"\${profile_$profile[@]}\")" +eval "request_options=(\"\${profile_${profile}_request_options[@]}\")" +eval "eval request_input=\"\${profile_${profile}_request_input}\"" + +eval "create_options=(\"\${profile_${profile}_create_options[@]}\")" if [ "$ca" = "$nick" ]; then -options=("${options[@]}" -x -m 1) +create_options=("${create_options[@]}" -x -m 1) else -options=("${options[@]}" -c "$ca") +eval "serial_${ca//\//_}=\$((\${serial_${ca//\//_}:-1}+1))" +eval "serial=\$serial_${ca//\//_}" +create_options=("${create_options[@]}" -c "$ca" -m "$serial") fi +eval "add_options=(\"\${profile_${profile}_add_options[@]}\")" + pwfile="$(mktemp)" echo "$dbpassword" >"$pwfile" @@ -38,22 +60,14 @@ gen_cert() { csr="$(mktemp)" crt="$(mktemp)" -certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null "$dbdir/ext.kdc" +} + +gen_pkinit_cert() { +local nick="$1" subj="$2" outname="$3" +shift 3 + +openssl genrsa -out "$dbdir/$nick/kdc.key" 2048 > /dev/null +openssl req -new -out "$dbdir/$nick/kdc.req" -key "$dbdir/$nick/kdc.key" \ +
[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN frasertweedale commented: """ Was there agreement that this should be implemented? (I am personally against it, because the next release should update the default profile to use the new CommonNameToSanExtDefault profile component). If we do implement this, IMO it should be a per-profile configuration, because there may be legitimate use cases where SAN is not needed. If we do pursue the current approach, we should further check not only that SAN is present, but that it contains a DNSName. Put another way, with the current patch, SAN can be present, but it might contain only KRB5PrincipalName and no DNSName, and therefore the warning will not show, but it probably should have warned. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][edited] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: edited Changed field: body Original value: """ The code is obviously is not the final version, however, I would like to know if I'm on the right path. AFAIK we should check if the SAN extension is provided and if it has DNSName info. Fix: https://pagure.io/freeipa/issue/6663 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: opened PR body: """ The code is obviously is not the final version, however, I would like to know if I'm on the right path. AFAIK we should check if the SAN extension is provided and if it has DNSName info. Fix: https://pagure.io/freeipa/issue/6663 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773 From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001 From: Felipe VolponeDate: Tue, 9 May 2017 17:06:55 -0300 Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN --- ipaserver/plugins/cert.py | 12 1 file changed, 12 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 1a425de..aa960ab 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): cn = cns[-1].value # "most specific" is end of list if principal_type in (SERVICE, HOST): + +has_dns_in_san_ext = False +if ext_san: +for gn in x509.process_othernames(ext_san.value): +if isinstance(gn, cryptography.x509.general_name.DNSName): +has_dns_in_san_ext = True + +if not ext_san or not has_dns_in_san_ext: +print('Warning: The SAN extension ' + 'should be provided. Please, check the RFC 2818.') + + if not _dns_name_matches_principal(cn, principal, principal_obj): raise errors.ValidationError( name='csr', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host felipevolpone commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300266711 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds tiran commented: """ Needs to be merged into 4.5. """ See the full comment at https://github.com/freeipa/freeipa/pull/772#issuecomment-300255483 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][+blocker] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][+ack] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA rcritten commented: """ As far as I can tell it is always recoverable using this. I wasn't able to force a failure of replication, that could be a potential show-stopper. The PR doesn't touch the replication agreements at all except to allow them to already be there, so if things were in some sort of halfway state I couldn't say for sure what would happen. The code is there for examination to determine what steps are done, but in short: - call the existing CA uninstaller which mostly just calls pki-destroy (it also does some state cleanup, removes the CRLs and untracks the CA certs via certmonger) - A side-effect of the uninstaller is to shutdown certmonger. I start that back up - The service is removed from cn=masters - The cached services list is removed so ipactl won't fail starting a non-existent tomcat instance To be idempotent would require changes in dogtag, it is that which blows up on a re-install attempt. I would not be in favor of automatically uninstalling dogtag on another ipa-ca-install call. ipa-ca-install would/should never be run on the original master. It already prints a big fat warning. I'd be ok making it fatter and requiring (no joke) multiple "Are you sure" prompts. There is no CA install for CAless so not a case I'm interested in. If you want to rename options I'm ok with that as well, maybe --try-again or something of that nature (in which case I WOULD be in favor of doing the uninstall automatically). """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300247543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][synchronized] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 From ac03074839f3602df8c95be89d52ef4ae8238033 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 9 May 2017 18:36:51 +0200 Subject: [PATCH] Travis CI: explicitly update pip before running the builds This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 1a8f1b3..c275cdc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,6 +28,8 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" install: +- pip install --upgrade pip +- pip3 install --upgrade pip - pip install pep8 - > pip3 install -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][opened] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: opened PR body: """ This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 From 51de0bc52f48b17fad03a19bc3a094ba797a2c4d Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 9 May 2017 18:36:51 +0200 Subject: [PATCH] Travis CI: explicitly update pip before running the builds This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 1a8f1b3..5835999 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,6 +28,7 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" install: +- pip install --upgrade pip - pip install pep8 - > pip3 install -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#771][opened] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: opened PR body: """ If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None, though. https://pagure.io/freeipa/issue/6885 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 From 46db5c88fa85915f56def93ae7ea20b34b2aac32 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 9 May 2017 17:45:20 +0200 Subject: [PATCH] cert-show: check if certificate_out is in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None, though. https://pagure.io/freeipa/issue/6885 --- ipaclient/plugins/cert.py | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py index a4ee9a9..1809de0 100644 --- a/ipaclient/plugins/cert.py +++ b/ipaclient/plugins/cert.py @@ -49,9 +49,14 @@ class CertRetrieveOverride(MethodOverride): ) def forward(self, *args, **options): -certificate_out = options.pop('certificate_out', None) -if certificate_out is not None: +if 'certificate_out' in options: +certificate_out = options.pop('certificate_out') +if certificate_out is None: +raise errors.ValidationError(name='certificate-out', + error=_(u'cannot be empty')) util.check_writable_file(certificate_out) +else: +certificate_out = None result = super(CertRetrieveOverride, self).forward(*args, **options) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#770][opened] cert-show: writable files does not mean dirs
URL: https://github.com/freeipa/freeipa/pull/770 Author: stlaz Title: #770: cert-show: writable files does not mean dirs Action: opened PR body: """ ipalib.util.check_writable_file didn't check whether the argument is an actual file which is now fixed. https://pagure.io/freeipa/issue/6883 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/770/head:pr770 git checkout pr770 From 8e14e41045971193649e8f3acc0bbab0c053b7a8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 9 May 2017 17:49:56 +0200 Subject: [PATCH] cert-show: writable files does not mean dirs ipalib.util.check_writable_file didn't check whether the argument is an actual file which is now fixed. https://pagure.io/freeipa/issue/6883 --- ipalib/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..f89ac14 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -171,7 +171,7 @@ def check_writable_file(filename): if filename is None: raise errors.FileError(reason=_('Filename is empty')) try: -if os.path.exists(filename): +if os.path.isfile(filename): if not os.access(filename, os.W_OK): raise errors.FileError(reason=_('Permission denied: %(file)s') % dict(file=filename)) else: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#769][opened] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769 Author: Rezney Title: #769: test_caless: add pkinit option and test it Action: opened PR body: """ What was done? ~~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. ~~~ What can be improved? (at least what I am aware of) ~~~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). ~~~ Issues found: ~~~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORFailed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server ~~~ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/769/head:pr769 git checkout pr769 From e8fbb3de2436936370b3be3df5c5dfbd59670333 Mon Sep 17 00:00:00 2001 From: Michal ReznikDate: Tue, 9 May 2017 16:39:45 +0200 Subject: [PATCH] test_caless: add pkinit option and test it change "caless-create-pki" so pkinit certificates can be generated. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. add pkinit option to the ipa installer and test both master and replica install with pkinit. Signed-off-by: Michal Reznik --- .../test_integration/scripts/caless-create-pki | 112 - ipatests/test_integration/test_caless.py | 77 +++--- 2 files changed, 150 insertions(+), 39 deletions(-) diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki index 8928e95..816e7dc 100644 --- a/ipatests/test_integration/scripts/caless-create-pki +++ b/ipatests/test_integration/scripts/caless-create-pki @@ -1,14 +1,29 @@ #!/bin/bash -e -profile_ca=(-t CT,C,C -v 120) -profile_server=(-t ,, -v 12) - -crl_path=${crl_path-$(readlink -f $dbdir)} - -serial_number=0 +profile_ca_request_options=(-1 -2 -4) +profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_ca_create_options=(-v 120) +profile_ca_add_options=(-t CT,C,C) +profile_server_request_options=(-4) +profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_server_create_options=(-v 12) +profile_server_add_options=(-t ,,) + +write_chain() { +local nick="$1" + +chain=`certutil -O -d $dbdir -n "$nick" | + sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"` + +while read -r name; do +# OpenSSL requires a reverse order to what we get from NSS +echo -e "`certutil -L -d "$dbdir" -n "$name" -a`\n`cat $dbdir/$nick.pem` +" >
[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless abbra commented: """ PKINIT certificates are using by `krb5kdc` which uses OpenSSL. It means they cannot be placed in an NSSDB. """ See the full comment at https://github.com/freeipa/freeipa/pull/768#issuecomment-300203017 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][+pushed] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies MartinBasti commented: """ master: * bd5a5012d24820b54cdca2955f5405b84de1178c Slim down dependencies """ See the full comment at https://github.com/freeipa/freeipa/pull/671#issuecomment-300198093 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][closed] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][+ack] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#768][closed] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#768][edited] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: edited Changed field: body Original value: """ What was done? ~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORFailed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 From ac19e97b02c65a4728239a134e5d2bc39a08672f Mon Sep 17 00:00:00 2001 From: Felipe VolponeDate: Thu, 4 May 2017 09:51:07 -0300 Subject: [PATCH] Fixing adding authenticator indicators to host The check for krbprincipalaux in the entries is now made case-insensitively. https://pagure.io/freeipa/issue/6911 --- ipaserver/plugins/host.py | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index dcadd54..15bd25d 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -920,7 +920,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): else: _entry_attrs = ldap.get_entry(dn, ['objectclass']) obj_classes = _entry_attrs['objectclass'] -if 'ieee802device' not in obj_classes: +if 'ieee802device' not in [item.lower() for item in obj_classes]: obj_classes.append('ieee802device') entry_attrs['objectclass'] = obj_classes @@ -940,7 +940,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): else: _entry_attrs = ldap.get_entry(dn, ['objectclass']) obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass'] -if 'ipasshhost' not in obj_classes: +if 'ipasshhost' not in [item.lower() for item in obj_classes]: obj_classes.append('ipasshhost') update_krbticketflags(ldap, entry_attrs, attrs_list, options, True) @@ -949,14 +949,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): if 'objectclass' not in entry_attrs: entry_attrs_old = ldap.get_entry(dn, ['objectclass']) entry_attrs['objectclass'] = entry_attrs_old['objectclass'] -if 'krbticketpolicyaux' not in entry_attrs['objectclass']: +if 'krbticketpolicyaux' not in [item.lower() for item in +entry_attrs['objectclass']]: entry_attrs['objectclass'].append('krbticketpolicyaux') if 'krbprincipalauthind' in entry_attrs: if 'objectclass' not in entry_attrs: entry_attrs_old = ldap.get_entry(dn, ['objectclass']) entry_attrs['objectclass'] = entry_attrs_old['objectclass'] -if 'krbprincipalaux' not in entry_attrs['objectclass']: +if 'krbprincipalaux' not in [item.lower() for item in + entry_attrs['objectclass']]: entry_attrs['objectclass'].append('krbprincipalaux') add_sshpubkey_to_attrs_pre(self.context, attrs_list) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#768][opened] Ticket#6854 caless
URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: opened PR body: """ What was done? ~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERRORFailed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Moving our wiki back to password login
Hello all, As some of you noticed, FreeIPA wiki authentication via OpenID was broken in the last days. I suspect (but did get reply from Patrick who running the Fedora infra yet) that it was caused by Fedora moving to mode modern authentication protocol, i.e. from OpenID to OpenID Connect (OIDC): https://fedoraproject.org/wiki/Infrastructure/Authentication Unfortunately, I cannot make the OIDC login for our current FreeIPA instance available, given that our wiki runs on OpenShift v2 which uses PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26. OIDC mediawiki authentication plugin is supported from 1.27 forward. So the wiki needs to be either: - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance - migrated to OpenShift v3 (preferred) to unblock us from this situation and get to proper OIDC authentication. However, this will need more time and preparation (which I do not even have right now). For now, I simply disabled OpenID authentication in our wiki and enabled password logins again! Anonymous account creation is disabled to avoid spammers. However, given that we now enforce people to be in a special group (editors) to fight the spammers, there is actually no big functionality lost in this, except having to use yet another password. To summarize, if you want to access the wiki again, please use the password you may have had before we migrated to Fedora OpenID. If you do not have the password yet, you should be able to simply reset it before logging in and you should get an email (the mail part did not work for martbab this afternoon, though). In the worst case, I can reset the password for you, just shoot me an email. Thanks! -- Martin KosekManager, Software Engineering - Identity Management Team Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][+ack] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tiran commented: """ @tomaskrizek yes, custodia 0.5 will no longer have the restriction. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300173956 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ @tiran Once this PR is merged, do you plan to remove the conflict with `freeipa-server-common < 4.5` from custodia or do we need to address something else as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300163978 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][closed] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys MartinBasti commented: """ master: * 8983ce53e3fdee98926f81f3012146e33bb92d30 ipa-kra-install: fix check_host_keys ipa-4-5: * b90dce88e227174aa33270beee9b3d6ff51cce59 ipa-kra-install: fix check_host_keys """ See the full comment at https://github.com/freeipa/freeipa/pull/766#issuecomment-300148119 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][+pushed] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][+ack] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Alright, thanks. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300146298 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][+ack] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tiran commented: """ The patch doesn't work with custodia 0.1. It needs at least 0.2.0-1. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300143282 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: [4.4] Run ipa-custodia under Python 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 From c804d46f1faa265a6951e782213f63ae2e051ede Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Wed, 3 May 2017 16:38:21 +0200 Subject: [PATCH] Run ipa-custodia under Python 2 Closes: https://pagure.io/freeipa/issue/6926 Signed-off-by: Christian Heimes --- freeipa.spec.in | 10 ++ init/systemd/ipa-custodia.service | 3 +-- install/tools/Makefile.am | 1 + install/tools/ipa-custodia| 6 ++ 4 files changed, 14 insertions(+), 6 deletions(-) create mode 100755 install/tools/ipa-custodia diff --git a/freeipa.spec.in b/freeipa.spec.in index e0f1df2..21f2416 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,7 +112,8 @@ BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six BuildRequires: python-jwcrypto -BuildRequires: custodia +# install/tools/ipa-custodia needs custodia 0.2+ +BuildRequires: custodia >= 0.2 BuildRequires: libini_config-devel >= 1.2.0 BuildRequires: dbus-python BuildRequires: python-netifaces >= 0.10.4 @@ -246,7 +247,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= 2.4.6-31 Requires: systemd-units >= 38 -Requires: custodia +Requires: custodia >= 0.2 Provides: %{alt_name}-server-common = %{version} Conflicts: %{alt_name}-server-common @@ -498,7 +499,7 @@ Requires: python-jwcrypto Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests -Requires: python-custodia +Requires: python-custodia >= 0.2 Requires: python-dns >= 1.13 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -546,7 +547,7 @@ Requires: python3-six Requires: python3-jwcrypto Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 -Requires: python3-custodia +Requires: python3-custodia >= 0.2 Requires: python3-requests Requires: python3-dns >= 1.11.1 Requires: python3-netifaces >= 0.10.4 @@ -1069,6 +1070,7 @@ fi %{_libexecdir}/certmonger/ipa-server-guard %{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service index ff930fb..63246c4 100644 --- a/init/systemd/ipa-custodia.service +++ b/init/systemd/ipa-custodia.service @@ -3,8 +3,7 @@ Description=IPA Custodia Service [Service] Type=simple - -ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf +ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf PrivateTmp=yes Restart=on-failure RestartSec=60s diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 2866a30..66ee9e3 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -38,6 +38,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ + ipa-custodia \ ipa-httpd-kdcproxy \ ipa-pki-retrieve-key \ $(NULL) diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia new file mode 100755 index 000..2086a9c --- /dev/null +++ b/install/tools/ipa-custodia @@ -0,0 +1,6 @@ +#!/usr/bin/python2 +# Copyright (C) 2017 IPA Project Contributors, see COPYING for license +from custodia.server import main + +if __name__ == '__main__': +main() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Works for me. However, I do not see the reason to do `custodia > 0.2`, please, either provide some or remove it. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300140520 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA stlaz commented: """ @pvoborni @rcritten @martbab This discussion at this PR makes no sense. Clearly we can see that the impact is much higher and should be discussed on designated channels, meaning either **freeipa-devel** mailing list or in our issue tracking system (the former would be preferable with having the result in the latter). I believe that the guys from the Dogtag project could also have a great insight on this. Here's questions which should answer why I want this to be discussed there: - how to handle users so they don't use `ipa-ca-install --uninstall` any time? - at which point is the installation recoverable and when it's not? - describe what happens in each and every step, mention which files and entries are created - on master - on replica - describe what has to be done in case a step fails for each and every step - on master - on replica - describe how `ipa-ca-install` rollback should behave when installing first CA in a CA-less setup These problems are just from the top of my head and I am a CA installation noob. I would however be very cautious not knowing an answer to either of those. @rcritten if you do know the answers, please, share them with us (or maybe just me because I sure don't know them), it would help a lot with deciding on where to go from here. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300120774 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#762][+ack] fix managed-entries printing IPA not installed
URL: https://github.com/freeipa/freeipa/pull/762 Title: #762: fix managed-entries printing IPA not installed Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#725][closed] Fix certificate_out check in CertRetrieveOverride
URL: https://github.com/freeipa/freeipa/pull/725 Author: Akasurde Title: #725: Fix certificate_out check in CertRetrieveOverride Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/725/head:pr725 git checkout pr725 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#726][closed] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys flo-renaud commented: """ Hi @MartinBasti @martbab thank you for the comment. PR updated with your suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/766#issuecomment-300101597 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#766][synchronized] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 From 3e5250cfcd003b0bd72ba77fff5c1d03d23ebc89 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Fri, 5 May 2017 17:06:09 +0200 Subject: [PATCH] ipa-kra-install: fix check_host_keys ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 --- ipaserver/secrets/kem.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index c1991c6..3363d82 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -72,7 +72,7 @@ def get_key(self, usage, principal): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -85,9 +85,8 @@ def check_host_keys(self, host): ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) r = conn.search_s(self.keysbase, scope, ldap_filter) -if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" - "public key for %s" % (len(r), host)) +if not r: +raise ValueError("No public keys were found for %s" % host) return True def _format_public_key(self, key): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @pvoborni We can try to move the uninstaller logic to the beginning of the install, or make the affected steps idempotent. But still I would be hesitant to merge this PR without some design in place. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300098837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: [4.4] Run ipa-custodia under Python 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 From d30ea463bc0671af542e7d86ec9d753209b7dfa6 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Wed, 3 May 2017 16:38:21 +0200 Subject: [PATCH] Run ipa-custodia under Python 2 Closes: https://pagure.io/freeipa/issue/6926 Signed-off-by: Christian Heimes --- freeipa.spec.in | 9 + init/systemd/ipa-custodia.service | 3 +-- install/tools/Makefile.am | 1 + install/tools/ipa-custodia| 6 ++ 4 files changed, 13 insertions(+), 6 deletions(-) create mode 100755 install/tools/ipa-custodia diff --git a/freeipa.spec.in b/freeipa.spec.in index e0f1df2..0b0761b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,7 +112,7 @@ BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six BuildRequires: python-jwcrypto -BuildRequires: custodia +BuildRequires: custodia > 0.2 BuildRequires: libini_config-devel >= 1.2.0 BuildRequires: dbus-python BuildRequires: python-netifaces >= 0.10.4 @@ -246,7 +246,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= 2.4.6-31 Requires: systemd-units >= 38 -Requires: custodia +Requires: custodia > 0.2 Provides: %{alt_name}-server-common = %{version} Conflicts: %{alt_name}-server-common @@ -498,7 +498,7 @@ Requires: python-jwcrypto Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests -Requires: python-custodia +Requires: python-custodia > 0.2 Requires: python-dns >= 1.13 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -546,7 +546,7 @@ Requires: python3-six Requires: python3-jwcrypto Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 -Requires: python3-custodia +Requires: python3-custodia > 0.2 Requires: python3-requests Requires: python3-dns >= 1.11.1 Requires: python3-netifaces >= 0.10.4 @@ -1069,6 +1069,7 @@ fi %{_libexecdir}/certmonger/ipa-server-guard %{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service index ff930fb..63246c4 100644 --- a/init/systemd/ipa-custodia.service +++ b/init/systemd/ipa-custodia.service @@ -3,8 +3,7 @@ Description=IPA Custodia Service [Service] Type=simple - -ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf +ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf PrivateTmp=yes Restart=on-failure RestartSec=60s diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 2866a30..66ee9e3 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -38,6 +38,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ + ipa-custodia \ ipa-httpd-kdcproxy \ ipa-pki-retrieve-key \ $(NULL) diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia new file mode 100755 index 000..2086a9c --- /dev/null +++ b/install/tools/ipa-custodia @@ -0,0 +1,6 @@ +#!/usr/bin/python2 +# Copyright (C) 2017 IPA Project Contributors, see COPYING for license +from custodia.server import main + +if __name__ == '__main__': +main() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][closed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Author: tomaskrizek Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/767/head:pr767 git checkout pr767 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][comment] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ ipa-4-5: * cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency * 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry * d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance """ See the full comment at https://github.com/freeipa/freeipa/pull/767#issuecomment-300098076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][+pushed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA pvoborni commented: """ Let's first clarify the problem to solve. If I understand @rcritten right, the problem is that if ipa-ca-install fail then one must reinstall the whole replica because the failed installation left a garbage and subsequent installer is not able to handle the garbage. Uninstallation of successful CA installation is not the intend, right? If so then it seems to me that both of you are in agreement. And I would add that I completely agree with CA uninstall not being a goal because it would add just another use case to support with a benefit I don't see. So if goal is repeatable ipa-ca-install then let's not talk about creating a CA uninstaller but rather about CA cleanup and let's hide/remove the `--uninstall` option and figure out how it should behave - i.e. let it be internal. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300097665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ External CA (rebased on current master to be able to install): ``` $ kinit -n kinit: Invalid certificate while getting initial credentials $ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem kinit: Invalid certificate while getting initial credentials ``` and on replica: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` => this breaks WebUI on external CA installations. = CA-less with `--no-pkinit`: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` but I guess that's expected, WebUI works since the following does work as well: ``` $ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem ``` = In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce: ``` Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) ipa : ERRORFailed to configure PKINIT Done configuring Kerberos KDC (krb5kdc). ``` when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][+ack] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @rcritten If it is expected to not clean up properly after a fai;ed installation then I would rather not advertise it as an uninstaller, otherwise users will start to get ideas like "I do not want to use built-in CA anymore, let's just uninstall it and use 3rd party certs everywhere" and will run into problems with leftover certificates and such. I would rather provide some rollback after failed install but again, I think there should be a more extensive discussion about a generic solution applicable to all service installers. Also I would not claim that we actually do not have a service uninstaller framework since every service installer has a copy-pasted code in an ad-hoc coded uninstall method repeated ad nauseam. From what I have glimpsed from `ipa-4-5` branch, `Service` class does not even provide `uninstall` abstract method to override, only `SimpleServiceInstance` does that. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300090846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][opened] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Author: tomaskrizek Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Action: opened PR body: """ Original PR: #752 --- This issue prevented from upgrading from IPA 4.1. I also discovered a missing python dependency when I was running the ipa-server-upgrade manually. For packagers: the Python version that has the required symbols in CentOS is 2.7.5-24 https://pagure.io/freeipa/issue/6920 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/767/head:pr767 git checkout pr767 From f8aa9c33f530ebf875b707a80068106853158bb1 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Tue, 2 May 2017 18:32:34 +0200 Subject: [PATCH 1/3] python2-ipalib: add missing python dependency Commit dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 started to use ssl symbols like ssl.OP_NO_SSLv2 that were introduced in Python 2.7.9. Related https://pagure.io/freeipa/issue/6920 --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b7410b..1dd550b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -639,6 +639,7 @@ Requires: python-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: pyOpenSSL +Requires: python >= 2.7.9 Requires: python-nss >= 0.16 Requires: python-cryptography >= 1.4 Requires: python-netaddr From 3c96c97a82fbf6907aca7f885fdd1051389e0e57 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 2 May 2017 18:42:13 +0200 Subject: [PATCH 2/3] installer service: fix typo in service entry The typo would result in incorrect resolution of existing keys and their existence wasn't properly logged as intended. Related https://pagure.io/freeipa/issue/6920 --- ipaserver/install/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6b5e69c..1aa49ed 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -181,7 +181,7 @@ def set_service_entry_config(name, fqdn, config_values, except errors.NotFound: pass else: -existing_values = entry.get('ipaConnfigString', []) +existing_values = entry.get('ipaConfigString', []) for value in config_values: if case_insensitive_attr_has_value(existing_values, value): root_logger.debug( From e39ca833903a109c112073ffd67ae17076b57c27 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 2 May 2017 19:26:04 +0200 Subject: [PATCH 3/3] upgrade: add missing suffix to http instance During an upgrade, http.suffix is used to identify ldap entry when configuring kdc proxy. When the suffix is missing, the script crashed when enabling KDC proxy, because it used invalid DN. Fixes https://pagure.io/freeipa/issue/6920 --- ipaserver/install/server/upgrade.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 4d8fd66..9aec2d8 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1638,6 +1638,7 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.fqdn = fqdn http.realm = api.env.realm +http.suffix = ipautil.realm_to_suffix(api.env.realm) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From c0c79f0b0fdaf0b5a1bfe0d92018f3bf12373907 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d72feb8..97baa60 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -822,7 +822,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 9e9bcaa70bc8e7b307ecd99e247311796b9fd32d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 28 Feb 2017 10:55:54 + Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. https://pagure.io/freeipa/issue/5799 --- ipaserver/install/server/upgrade.py | 28 +++- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9aec2d8..84692d3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http): template = paths.CERTMONGER_COMMAND_TEMPLATE serverid = installutils.realm_to_serverid(api.env.realm) -# bump version when requests is changed -version = 6 requests = [ { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, @@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http): } ] -root_logger.info("[Update certmonger certificate renewal configuration to " - "version %d]" % version) +root_logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): root_logger.info('CA is not configured') return False -state = 'certificate_renewal_update_%d' % version -if sysupgrade.get_upgrade_state('dogtag', state): -return False - # State not set, lets see if we are already configured for request in requests: request_id = certmonger.get_request_id(request) if request_id is None: break else: -sysupgrade.set_upgrade_state('dogtag', state, True) -root_logger.info("Certmonger certificate renewal configuration is " - "already at version %d" % version) return False # Ok, now we need to stop tracking, then we can start tracking them @@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http): ds.stop_tracking_certificates(serverid) http.stop_tracking_certificates() -if not sysupgrade.get_upgrade_state('dogtag', -'certificate_renewal_update_1'): -filename = paths.CERTMONGER_CAS_CA_RENEWAL -if