[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer
Jan Cholasta
jcholast at redhat.com
Thu Jun 16 12:58:21 UTC 2011
On 14.6.2011 15:16, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 6.6.2011 21:25, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>>>> The goal is to not import foreign certificates.
>>>>>
>>>>> This caused a bunch of tests to fail because we had a hardcoded server
>>>>> certificate. Instead a developer will need to run make-testcert to
>>>>> create a server certificate generated by the local CA to test against.
>>>>>
>>>>> ticket 1134
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> NACK
>>>>
>>>> The certificate isn't verified in host-add.
>>>>
>>>> I suspect that certificates signed by an intermediate CA (i.e. when the
>>>> certificate chain length > 2) are considered invalid. Is that the
>>>> desired behavior?
>>>
>>> That will work as long as the issuer is the IPA CA. I see that if we are
>>> given a service cert issued by another CA in the chain things could go
>>> badly. I'm not sure this is something to really worry about though.
>>
>> I guess it's not. But I'd like a second opinion on that.
>
> We really only want to support those certs we issue otherwise things
> like revocation get tricky, because we can't manage things we don't issue.
>
>>
>>>
>>>>
>>>> make-testcert fails with:
>>>>
>>>> Traceback (most recent call last):
>>>> File "./make-testcert", line 126, in <module>
>>>> sys.exit(makecert(reqdir))
>>>> File "./make-testcert", line 105, in makecert
>>>> add=True)
>>>> File "./make-testcert", line 66, in run
>>>> result = self.execute(method, *args, **options)
>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
>>>> raise error #pylint: disable=E0702
>>>> ipalib.errors.CommandError: unknown command 'cert_request'
>>>>
>>>> This is probably an error on my part (tried running in on both my
>>>> machine without IPA installed and on VM with IPA installed with no
>>>> luck), but nonetheless it should be fixed to fail gracefully so that
>>>> the
>>>> tests in "make test" have a chance to run. Similarly, the tests which
>>>> use the test certificate created by make-testcert should be skipped if
>>>> the certificate isn't available.
>>>
>>> You need to take the certificate databases from a self-signed install
>>> and copy them to ~/.ipa/alias/ in order to do certificate testing. There
>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>>>
>>> I think this should be mandatory as certificates are a main feature of
>>> v2.
>>
>> No matter what I do, I'm still getting the unknown command error. Can
>> you describe the steps needed to make make-testcert successfully run?
>>
>> BTW, it would be nice if "make test" printed an informational message
>> when the requirements to run the tests aren't met instead of failing
>> with some random error.
>
> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
> comment out the xmlrpc_uri. This is now caught by the script.
>
> rob
These tests fail:
test_host[19]: service_mod: Update
u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL
test_host[20]: service_show: Retrieve
u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to
verify update ... FAIL
because they expect the CN to be puma.greyoak.com. I'm not sure if this
issue is in the scope of this patch - if it's not, then ACK.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list