[Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

Petr Viktorin pviktori at redhat.com
Tue Apr 2 10:06:31 UTC 2013 

On 04/02/2013 12:05 PM, Petr Viktorin wrote:
> On 04/02/2013 10:48 AM, Jan Cholasta wrote:
>> On 29.3.2013 15:31, Petr Viktorin wrote:
>>> On 03/29/2013 11:20 AM, Jan Cholasta wrote:
>>>> On 29.3.2013 11:14, Jan Cholasta wrote:
>>>>> Also I was able to install IPA with revoked certificates, but it
>>>>> doesn't
>>>>> seem to break anything - the CRL specified in the certificates' CRL
>>>>> distribution point is not automatically imported into any of the NSS
>>>>> databases and when it is imported manually, everything still seems to
>>>>> work fine. I haven't checked OCSP. Can and/or do we want to do
>>>>> something
>>>>> about this?
>>>>
>>>> Update: the ipa command does not work:
>>>>
>>>> $ ipa host-show $HOSTNAME --all --raw
>>>> ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
>>>> ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
>>>> ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
>>>> -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
>>>> revoked.
>>>
>>> I think we can live with not checking CRLs now. I haven't found a way to
>>> download CRLs with certutil or python-nss (short of explicitly examining
>>> the certs, downloading the CRL and importing it, but I don't think IPA
>>> is the place for that).
>>> I've asked John.
>>
>> OK, thanks.
>>
>>>
>>>>> Patch 205:
>>>>>
>>>>> Can we instead require the PKCS#12 files to always contain the whole
>>>>> certificate chain? IMO that way it would be more obvious what should
>>>>> actually be in the files and it would make things easier should there
>>>>> ever be need for --root-ca-subject.
>>>
>>> Not requiring the root CA is a convenient shortcut. It's common to have
>>> certs signed directly by the CA, and in this case you can use either a
>>> single-cert PKCS#12 or one with the full chain.
>>> Actually, originally the full chain was required, and a user already
>>> complained :)
>>>
>>> If we add a new option, we can specify its requirements on the other
>>> options.
>>
>> No problem.
>>
>>>
>>> Adding a new patch for client installation.
>>>
>
> I found one more bug: the replica wasn't setting the ra_plugin option
> properly, preventing installing a replica of a replica.
> I squashed the following change into 204:
>
> diff --git a/install/tools/ipa-replica-install
> b/install/tools/ipa-replica-install
> index 8fce3a8..af80c1e 100755
> --- a/install/tools/ipa-replica-install
> +++ b/install/tools/ipa-replica-install
> @@ -539,6 +539,9 @@ def main():
>               fd.write("ra_plugin=dogtag\n")
>               fd.write("dogtag_version=%s\n" %
>                   dogtag.install_constants.DOGTAG_VERSION)
> +        else:
> +            fd.write("enable_ra=False\n")
> +            fd.write("ra_plugin=none\n")
>           fd.write("mode=production\n")
>           fd.close()
>       finally:
>

I forgot to attach the patches; here they are.

>
>> This is nothing critical, but I think that make-testcert should check if
>> dogtag is installed and when it's not, print a message informing the
>> user that they should issue the test certificate manually and place it
>> in the appropriate location.
>>
>> Besides that, ACK.
>
> I'll make another patch so this set is not delayed.
>
>> Honza
>>
>
>


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0197.6-ipa-server-install-Make-temporary-pin-files-availabl.patch
Type: text/x-patch
Size: 6417 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0198.6-ipa-server-install-Remove-the-selfsign-option.patch
Type: text/x-patch
Size: 10375 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0200.6-Remove-unused-ipapython.certdb.CertDB-class.patch
Type: text/x-patch
Size: 6266 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0201.6-ipaserver.install.certs-Introduce-NSSDatabase-as-a-m.patch
Type: text/x-patch
Size: 13843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0202.6-Trust-CAs-from-PKCS-12-files-even-if-they-don-t-have.patch
Type: text/x-patch
Size: 1126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0203.6-dsinstance-httpinstance-Don-t-hardcode-Server-Cert.patch
Type: text/x-patch
Size: 5772 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0204.6-Support-installing-with-custom-SSL-certs-without-a-C.patch
Type: text/x-patch
Size: 23096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0205.6-Load-the-CA-cert-into-server-NSS-databases.patch
Type: text/x-patch
Size: 11090 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0206.6-Do-not-call-cert-commands-in-host-plugin-if-a-RA-is-.patch
Type: text/x-patch
Size: 10403 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0207.6-ipa-client-install-Do-not-request-host-certificate-i.patch
Type: text/x-patch
Size: 3996 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130402/b1b67ced/attachment-0009.bin>

More information about the Freeipa-devel mailing list