[Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Jan Cholasta
jcholast at redhat.com
Wed Jul 25 14:31:54 UTC 2012
Dne 25.7.2012 16:01, Rob Crittenden napsal(a):
> Petr Viktorin wrote:
>> On 07/23/2012 10:03 PM, Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>> Andrew Wnuk wrote:
>>>>> On 07/16/2012 01:35 PM, Rob Crittenden wrote:
>>>>>> Nalin Dahyabhai wrote:
>>>>>>> On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
>>>>>>>> Use the new certmonger capability to be able to renew the dogtag
>>>>>>>> subsystem certificates (audit, OCSP, etc).
>>>>>>>
>>>>>>> Are the copies of the certificates in the pki-ca CS.cfg file being
>>>>>>> updated elsewhere? Or is it not turning out to be a problem if they
>>>>>>> aren't?
>>>>>>
>>>>>> I didn't test validating OCSP signatures but the audit subsystem
>>>>>> seemed fine (it complained wildly when I had the wrong trust in the
>>>>>> NSS db).
>>>>>>
>>>>>> Andrew, do I need to update CS.cfg as well?
>>>>>>
>>>>> Yes, you may need update CS.cfg too.
>>>>
>>>> Ok, added a bit to update CS.cfg with the new certificate.
>>>
>>> This should fix some SELinux issues preventing certmonger from
>>> monitoring the dogtag certificate database in /var/lib/pki-ca/alias.
>>>
>>> rob
>>
>> I don't know enough about dogtag/certmonger to comment on the
>> functionality, but there are minor issues I can find. Attaching a patch
>> to fix them.
>>
>>
>> `make rpms` fails:
>>
>> rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
>> error: %changelog not in descending chronological order
>> make: *** [rpms] Error 1
>>
>>
>>
>> `git am` complains:
>>
>> Applying: Use certmonger to renew CA subsystem certificates
>> /home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at
>> EOF.
>> +
>> /home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at
>> EOF.
>> +
>> warning: 2 lines add whitespace errors.
>
> Thanks, integrated this patch and added a missing script, renew_ipacert.
>
> rob
>
NACK
First, a question: I haven't tested this (yet), but what happens when
someone uses the --{dirsrv,http,pkinit}_pkcs12 options of
ipa-server-install/ipa-replica-prepare? (There are also other options
which I suspect may cause trouble, namely --subject and --selfsign.)
install/restart_scripts/renew_ra_cert doesn't seem to be used anywhere.
ipa-replica-install --setup-ca fails with:
...
[13/15]: configure clone certificate renewals
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Nickname "ipaCert" doesn't exist in NSS database "/etc/httpd/alias"
ipareplica-install.log:
...
2012-07-25T11:49:17Z DEBUG args=/usr/bin/certutil -L -d /etc/httpd/alias
-n ipaCert
2012-07-25T11:49:17Z DEBUG stdout=
2012-07-25T11:49:17Z DEBUG stderr=certutil: Could not find cert: ipaCert
: File not found
2012-07-25T11:49:17Z INFO File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 604, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 446, in main
(CA, cs) = cainstance.install_replica_ca(config)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1265, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
554, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 261, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1158, in configure_clone_renewal
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit',
'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias',
'restart_httpd')
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line
364, in dogtag_start_tracking
raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database
"%s"' % (nickname, secdir))
2012-07-25T11:49:17Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Nickname "ipaCert" doesn't exist in NSS
database "/etc/httpd/alias"
(ipa-ca-install doesn't seem to suffer from the above issue.)
On clones, the CN=IPA RA,O=REALM certificate is tracked with post-save
command '/usr/lib64/ipa/certmonger/restart_httpd "ipaCert"', but
restart_httpd does not take any arguments (it does not break anything,
it's just weird).
Comments on individual files follow:
install/certmonger/Makefile.am:
Missing closing parenthesis:
+EXTRA_DIST = \
+ $(app_SCRIPTS \
install/certmonger/dogtag-ipa-retrieve-agent-submit:
Typo ("nicknamd"):
+# We cheat and pass in the nicknamd as the CA profile to execute against.
Are these guaranteed to be upper-case? I'd put operation.upper() here,
just to be on the safe side:
+if operation not in ['SUBMIT', 'POLL']:
+ sys.exit(6) # unsupported operation
This except block is not necessary, unhandled exceptions are caught in
the except block lower in the code:
+ sys.exit(5)
+ except Exception, e:
+ # Unhandled error
+ sys.exit(3)
+ finally:
install/restart_scripts/restart_dirsrv:
You import and initialize api, but then don't use it.
install/restart_scripts/*:
All these scripts could use more exception handling, but I guess
potential bugs can be sorted out later.
install/share/default-aci.ldif:
The ACIs are wrong (Kerberos principal instead of ldap URI in userdn, in
40-delegation.update it is done right).
ipapython/certmonger.py:
This is ugly:
+ if sys.maxsize > 2**32:
+ libpath = 'lib64'
+ else:
+ libpath = 'lib'
Is it safe to show the PIN in "getcert -P <PIN>" in logs? If not, please
add an appropriate nolog argument to ipautil.run.
ipapython/platform/fedora16.py
Can't we pick one name for pki-cad/pki_cad and use only that?
selinux/ipa_dogtag/ipa_dogtag.te:
Please use tabs here instead of spaces:
+ class file read;
+ class file getattr;
+ class file open;
(to be continued)
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list