[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Rob Crittenden rcritten at redhat.com
Thu Jul 3 21:52:49 UTC 2014 

Jan Cholasta wrote:
> On 2.7.2014 19:37, Jan Cholasta wrote:
>> On 2.7.2014 19:08, Rob Crittenden wrote:
>>> Trimming to respond to your questions.
>>>>> Not sure if this is related:
>>>>> # pki cert-find
>>>>> PKIException: Internal Server Error
>>>
>>> I'm pretty sure the cert-find error is related to the fact that I had a
>>> test build of dogtag installed, so that can be ignored.
>>
>> It does not work for me as well, with the current F20 dogtag packages,
>> but like I said, it worked some time ago.
> 
> Still haven't figured this out, unfortunately.
> 
> Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
> certificates on master.
> 
> Updated rebased patches attached. The correct order to apply is 295-294,
> 303-305, 295-299.
> 

251 I'm a little confused about the profile names. I see you changed the
renewal profile from ipaCACertRenewal to caCACert which I guess makes
sense. I don't see a ipaCACertRenewal profile. There is still a
reference to a ipaRetrieval profile, what is that?

ACK to the changes in 291

299 I guess you added the check for existing certs to avoid conflicts? I
guess it means that a user is hosed if they chose the same name for
their CA that we use? I think you're missing a sys.exit(1) here.

303 Looks good. The man page is still a little thin

304 Not to be too pedantic but if removing the old CACERT fails
(SELinux, immutable file) then the install will blow up and this is the
very end. I think the removal should happen earlier, before anything
else happens. That way at least you don't wait 10 minuts to find out the
install failed.

305 ACK

I didn't have a ton of time to test but a basic install fails with:

2014-07-03T21:44:49Z DEBUG stderr=
2014-07-03T21:44:49Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 640, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1046, in main
    dm_password, subject_base=options.subject)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
489, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
    method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1041, in __import_ca_chain
    (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 79, in get_cert_nickname
    nsscert = x509.load_certificate(cert)

  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
load_certificate
    return nss.Certificate(buffer(data))

2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
attempting to import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.

rob

More information about the Freeipa-devel mailing list