[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden
rcritten at redhat.com
Tue Jul 22 13:21:48 UTC 2014
Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 2.7.2014 19:37, Jan Cholasta wrote:
>>> On 2.7.2014 19:08, Rob Crittenden wrote:
>>>> Trimming to respond to your questions.
>>>>>> Not sure if this is related:
>>>>>> # pki cert-find
>>>>>> PKIException: Internal Server Error
>>>>
>>>> I'm pretty sure the cert-find error is related to the fact that I had a
>>>> test build of dogtag installed, so that can be ignored.
>>>
>>> It does not work for me as well, with the current F20 dogtag packages,
>>> but like I said, it worked some time ago.
>>
>> Still haven't figured this out, unfortunately.
>>
>> Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
>> certificates on master.
>>
>> Updated rebased patches attached. The correct order to apply is 295-294,
>> 303-305, 295-299.
>>
>
> 251 I'm a little confused about the profile names. I see you changed the
> renewal profile from ipaCACertRenewal to caCACert which I guess makes
> sense. I don't see a ipaCACertRenewal profile. There is still a
> reference to a ipaRetrieval profile, what is that?
>
> ACK to the changes in 291
>
> 299 I guess you added the check for existing certs to avoid conflicts? I
> guess it means that a user is hosed if they chose the same name for
> their CA that we use? I think you're missing a sys.exit(1) here.
>
> 303 Looks good. The man page is still a little thin
>
> 304 Not to be too pedantic but if removing the old CACERT fails
> (SELinux, immutable file) then the install will blow up and this is the
> very end. I think the removal should happen earlier, before anything
> else happens. That way at least you don't wait 10 minuts to find out the
> install failed.
>
> 305 ACK
>
> I didn't have a ton of time to test but a basic install fails with:
>
> 2014-07-03T21:44:49Z DEBUG stderr=
> 2014-07-03T21:44:49Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 640, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-server-install", line 1046, in main
> dm_password, subject_base=options.subject)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 489, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1041, in __import_ca_chain
> (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 79, in get_cert_nickname
> nsscert = x509.load_certificate(cert)
>
> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
> load_certificate
> return nss.Certificate(buffer(data))
>
> 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
> exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
> attempting to import a cert with the same issuer/serial as an existing
> cert, but that is not the same cert.
I haven't gotten much further than this. I spent some time trying to
find the a change that would cause it and came up empty. Once this bug
shows, it always shows, but it can go away at times too which is just
blowing my little mind.
For example, I tried rolling the patches back one at a time (revert,
build, install, repeat). It failed even back to the point where I knew
things should be working. I installed 3.3.5, then tried the current
build, which had failed before, and it worked. So there is some odd
transient thing going on that I can't wrap my head around.
rob
More information about the Freeipa-devel
mailing list