[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Rob Crittenden rcritten at redhat.com
Mon Jul 28 19:39:40 UTC 2014 

Jan Cholasta wrote:
> On 22.7.2014 15:21, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 2.7.2014 19:37, Jan Cholasta wrote:
>>>>> On 2.7.2014 19:08, Rob Crittenden wrote:
>>>>>> Trimming to respond to your questions.
>>>>>>>> Not sure if this is related:
>>>>>>>> # pki cert-find
>>>>>>>> PKIException: Internal Server Error
>>>>>>
>>>>>> I'm pretty sure the cert-find error is related to the fact that I
>>>>>> had a
>>>>>> test build of dogtag installed, so that can be ignored.
>>>>>
>>>>> It does not work for me as well, with the current F20 dogtag packages,
>>>>> but like I said, it worked some time ago.
>>>>
>>>> Still haven't figured this out, unfortunately.
> 
> Fixed. Part of the problem was that the validation code I used on CA
> certificates was too tolerant (fixed in patches 249 and 251). Another
> part was the NSS validation code that Dogtag uses requires the issuing
> CA to be present in the NSS database (fixed in patch 306). Finally,
> Dogtag uses default NSS certificate path validation, which means you
> have to either keep all versions of the CA certificate in the NSS
> database, or enable PKIX path validation in NSS. Certmonger does not
> like having multiple versions of a certificate it is tracking in the
> database, so I have gone the PKIX route (patch 307).
> 
>>>>
>>>> Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
>>>> certificates on master.
>>>>
>>>> Updated rebased patches attached. The correct order to apply is
>>>> 295-294,
>>>> 303-305, 295-299.
>>>>
>>>
>>> 251 I'm a little confused about the profile names. I see you changed the
>>> renewal profile from ipaCACertRenewal to caCACert which I guess makes
>>> sense. I don't see a ipaCACertRenewal profile. There is still a
>>> reference to a ipaRetrieval profile, what is that?
> 
> Oops, I forgot to mention that, I guess I shouldn't post patches at such
> late hour :) Sorry.
> 
> ipaCACertRenewal should be used only for automatic renewal, not for
> manual. It calls caCACert and ipaRetrieval internally, but there are
> some conditions, which don't apply to manual renewal. It's a change I
> forgot to make before, so I made it now when I noticed it. ipaRetrieval
> fetches the certificate from cn=ca_renewal, i.e. what
> dogtag-ipa-retrieve-agent-submit used to do.
> 
>>>
>>> ACK to the changes in 291
>>>
>>> 299 I guess you added the check for existing certs to avoid conflicts? I
>>> guess it means that a user is hosed if they chose the same name for
>>> their CA that we use? I think you're missing a sys.exit(1) here.
> 
> Yes. It is a poor man's solution, but it would take time to make
> something better. (I can deal with nickname conflicts rather easy by
> renaming the certificates, but handling subject conflict would require
> removing the old certificate from the certificate store, which is not
> yet supported.)
> 
> Fixed missing exit.
> 
>>>
>>> 303 Looks good. The man page is still a little thin
>>>
>>> 304 Not to be too pedantic but if removing the old CACERT fails
>>> (SELinux, immutable file) then the install will blow up and this is the
>>> very end. I think the removal should happen earlier, before anything
>>> else happens. That way at least you don't wait 10 minuts to find out the
>>> install failed.
> 
> I switched to overwriting the file instead. It is created/written a few
> lines above, so if it shall fail, it will fail there.
> 
>>>
>>> 305 ACK
>>>
>>> I didn't have a ton of time to test but a basic install fails with:
>>>
>>> 2014-07-03T21:44:49Z DEBUG stderr=
>>> 2014-07-03T21:44:49Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 640, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/usr/sbin/ipa-server-install", line 1046, in main
>>>      dm_password, subject_base=options.subject)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 489, in configure_instance
>>>      self.start_creation(runtime=210)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>>      method()
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1041, in __import_ca_chain
>>>      (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 79, in get_cert_nickname
>>>      nsscert = x509.load_certificate(cert)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
>>> load_certificate
>>>      return nss.Certificate(buffer(data))
>>>
>>> 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
>>> exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
>>> attempting to import a cert with the same issuer/serial as an existing
>>> cert, but that is not the same cert.
>>
>> I haven't gotten much further than this. I spent some time trying to
>> find the a change that would cause it and came up empty. Once this bug
>> shows, it always shows, but it can go away at times too which is just
>> blowing my little mind.
>>
>> For example, I tried rolling the patches back one at a time (revert,
>> build, install, repeat). It failed even back to the point where I knew
>> things should be working. I installed 3.3.5, then tried the current
>> build, which had failed before, and it worked. So there is some odd
>> transient thing going on that I can't wrap my head around.
> 
> I have not yet seen this failure myself.
> 
> It looks like NSS internally imports the certificate, which conflicts
> with the database NSS is initialized with. Perhaps a well placed
> nss_shutdown() might fix this? Maybe using NSS contexts instead of
> global initialization could help.
> 
>>
>> rob
>>
> 
> I have taken your advice and don't touch trust flags on unknown CA certs
> on upgrades anymore. I have also made a number of little tweaks.
> 
> Updated rebased patches attached.
> 

This is oh-so close. AFAICT it generally does what it should, I think it
is ready for a wider audience. Just a few more things:

306: A while True loop is used for something which AFAICT can only ever
execute once. I'd think something like this is more readable:

for ca_nick, ca_flags in db.list_certs():
    if db.has_nickname(ca_cert):
        try:
            db.delete_cert(ca_nick)
        except ipautil.CalledProcessError:
            syslog.syslog(
                syslog.LOG_ERR,
                "Failed to remove certificate %s" % ca_nick)

+1 on the additional syslogs. It will help figure out what's going on if
things go sideways.

Otherwise things seem to be working. I think that fixing the above is
enough for a +57 with the promise of unit tests to back up some of these
new functions.

rob
rob

More information about the Freeipa-devel mailing list