[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Rob Crittenden rcritten at redhat.com
Thu Jun 26 18:05:41 UTC 2014 

Jan Cholasta wrote:
> On 12.6.2014 09:49, Jan Cholasta wrote:
>> On 20.5.2014 21:38, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 25.4.2014 10:51, Jan Cholasta wrote:
>>>>> On 24.4.2014 23:16, Rob Crittenden wrote:
>>>>>> Jan Cholasta wrote:
>>>>>>> On 10.4.2014 22:06, Rob Crittenden wrote:
>>>>>>>> Some in-line, a whole ton of data appended to end.
>>>>>>>>
>>>>>>>> Jan Cholasta wrote:
>>>>>>>>> On 7.4.2014 20:09, Rob Crittenden wrote:
>>>>>>>>>> Rob Crittenden wrote:
>>>>>>>>>>>
>>>>>>>>>>> 247
>>>>>>>>>>>
>>>>>>>>>>> We've been burned by hardcoded timeouts in the past. Should
>>>>>>>>>>> this be
>>>>>>>>>>> configurable? This module doesn't currently do any logging
>>>>>>>>>>> but it
>>>>>>>>>>> might
>>>>>>>>>>> be worth spitting out a "waiting" message, at least for
>>>>>>>>>>> debugging.
>>>>>>>>>
>>>>>>>>> Added a timeout argument.
>>>>>>>>
>>>>>>>> Did you forget to send this one, I didn't see an update to 247.
>>>>>>>
>>>>>>> Are you sure you have 247.1 (now 247.2)?
>>>>>>>
>>>>>>> I can see at
>>>>>>> <http://www.redhat.com/archives/freeipa-devel/2014-April/msg00225.html>
>>>>>>>
>>>>>>>
>>>>>>> that I have sent the correct version of the patches.
>>>>>>
>>>>>> The call has a timeout, the callers don't use it. I guess it'll do
>>>>>> for
>>>>>> now, but these almost always come back to bite us.
>>>>>
>>>>> Well, I can add --certmonger-timeout option to ipa-cacert-manage, if
>>>>> that's what you want.
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 251
>>>>>>>>>>>
>>>>>>>>>>> The tool should provide some feedback while it's running. For
>>>>>>>>>>> the
>>>>>>>>>>> impatient (me) it takes a really long time and it's hard to know
>>>>>>>>>>> what is
>>>>>>>>>>> going on, something in between nothing and full debug output.
>>>>>>>>>
>>>>>>>>> Added some messages about what's going on.
>>>>>>>>
>>>>>>>> I dpn't see an update to 251 either.
>>>>>>>
>>>>>>> Please make sure you have 251.1 (now 251.2).
>>>>>>
>>>>>> There is a little bit more output but there are still very long
>>>>>> periods
>>>>>> of waiting between any visual activity, particularly when doing it
>>>>>> on an
>>>>>> IPA self-signed CA.
>>>>>
>>>>> This stuff takes time :-) What would you like to see in the output,
>>>>> that's not already there?
>>>>>
>>>>>>>>
>>>>>>>> I think the ipa-cacert-manage man page is missing one really
>>>>>>>> important
>>>>>>>> piece: why would you ever need to run this? And when?
>>>>>>>
>>>>>>> Added a paragraph about this.
>>>>>>
>>>>>> It's better, couple of comments:
>>>>>>
>>>>>> Add "the" in between renew and CA in "used to manually renew CA
>>>>>> certificate of" and "When IPA CA...".
>>>>>
>>>>> OK.
>>>>>
>>>>>> I haven't had any luck renewing
>>>>>> the CA certificate yet. I see that it is tracked now. I started
>>>>>> moving
>>>>>> the system clock forward in order to get to renewal and about the 3rd
>>>>>> iteration the requests started failing with an XML error. Did you see
>>>>>> this?
>>>>>>
>>>>>> [Thu Apr 21 11:08:49.929486 2016] [:error] [pid 11692] Traceback
>>>>>> (most
>>>>>> recent call last):
>>>>>> [Thu Apr 21 11:08:49.929489 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
>>>>>> 344, in
>>>>>> wsgi_execute
>>>>>> [Thu Apr 21 11:08:49.929493 2016] [:error] [pid 11692]     result =
>>>>>> self.Command[name](*args, **options)
>>>>>> [Thu Apr 21 11:08:49.929496 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
>>>>>> __call__
>>>>>> [Thu Apr 21 11:08:49.929499 2016] [:error] [pid 11692]     ret =
>>>>>> self.run(*args, **options)
>>>>>> [Thu Apr 21 11:08:49.929503 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in
>>>>>> run
>>>>>> [Thu Apr 21 11:08:49.929506 2016] [:error] [pid 11692]     result =
>>>>>> self.execute(*args, **options)
>>>>>> [Thu Apr 21 11:08:49.929509 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line
>>>>>> 382, in
>>>>>> execute
>>>>>> [Thu Apr 21 11:08:49.929512 2016] [:error] [pid 11692]     result =
>>>>>> api.Command['cert_show'](unicode(serial))['result']
>>>>>> [Thu Apr 21 11:08:49.929516 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
>>>>>> __call__
>>>>>> [Thu Apr 21 11:08:49.929519 2016] [:error] [pid 11692]     ret =
>>>>>> self.run(*args, **options)
>>>>>> [Thu Apr 21 11:08:49.930559 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in
>>>>>> run
>>>>>> [Thu Apr 21 11:08:49.930567 2016] [:error] [pid 11692]     result =
>>>>>> self.execute(*args, **options)
>>>>>> [Thu Apr 21 11:08:49.930570 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line
>>>>>> 514, in
>>>>>> execute
>>>>>> [Thu Apr 21 11:08:49.930573 2016] [:error] [pid 11692]
>>>>>> result=self.Backend.ra.get_certificate(serial_number)
>>>>>> [Thu Apr 21 11:08:49.930577 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
>>>>>> 1502, in get_certificate
>>>>>> [Thu Apr 21 11:08:49.930580 2016] [:error] [pid 11692]
>>>>>> parse_result
>>>>>> = self.get_parse_result_xml(http_body, parse_display_cert_xml)
>>>>>> [Thu Apr 21 11:08:49.930591 2016] [:error] [pid 11692]   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
>>>>>> 1363, in get_parse_result_xml
>>>>>> [Thu Apr 21 11:08:49.930594 2016] [:error] [pid 11692]     doc =
>>>>>> etree.fromstring(xml_text, parser)
>>>>>> [Thu Apr 21 11:08:49.930598 2016] [:error] [pid 11692]   File
>>>>>> "lxml.etree.pyx", line 3032, in lxml.etree.fromstring
>>>>>> (src/lxml/lxml.etree.c:68129)
>>>>>> [Thu Apr 21 11:08:49.930601 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 1785, in lxml.etree._parseMemoryDocument
>>>>>> (src/lxml/lxml.etree.c:102493)
>>>>>> [Thu Apr 21 11:08:49.930604 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 1673, in lxml.etree._parseDoc
>>>>>> (src/lxml/lxml.etree.c:101322)
>>>>>> [Thu Apr 21 11:08:49.930607 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 1074, in lxml.etree._BaseParser._parseDoc
>>>>>> (src/lxml/lxml.etree.c:96504)
>>>>>> [Thu Apr 21 11:08:49.930611 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 582, in
>>>>>> lxml.etree._ParserContext._handleParseResultDoc
>>>>>> (src/lxml/lxml.etree.c:91308)
>>>>>> [Thu Apr 21 11:08:49.930614 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 683, in lxml.etree._handleParseResult
>>>>>> (src/lxml/lxml.etree.c:92494)
>>>>>> [Thu Apr 21 11:08:49.930617 2016] [:error] [pid 11692]   File
>>>>>> "parser.pxi", line 633, in lxml.etree._raiseParseError
>>>>>> (src/lxml/lxml.etree.c:91957)
>>>>>> [Thu Apr 21 11:08:49.930621 2016] [:error] [pid 11692]
>>>>>> XMLSyntaxError:
>>>>>> None
>>>>>> [Thu Apr 21 11:08:49.930829 2016] [:error] [pid 11692] ipa: INFO:
>>>>>> [xmlserver] host/lyra.greyoak.com at GREYOAK.COM:
>>>>>> cert_request(u'MIIDmTCCAoECAQAwMTEUMBIGA1UECgwLR1JFWU9BSy5DT00xGTAXBgNVBAMMEGx5cmEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVw34/WP/pKg+kxmM7aDcjYsEFA9By4SyV1n4FeeDpr2gBulyjKNGTaxuoEssqYy33qVU7vxQ8WS9LtYt1eyAZrKLCVso1njtMZZ2mpymltRgRT+QFzMjwrcoqqGM9XWjVAMur/FJggVPxcpNXy2EUAiVcMEO4zCgxjkWjaXSs5jigvFO5wzolnQRYPECPhYuYwKpVRPwCsqpeiymfpiVuHt+oTHA9lNIGRWWxA+72NLFhrLBKaVaFDl4NCT6jJ71xZDXLQWQw1kAWvYKV22jCfDS/Yxdtyt3O0kUs8dHYClTgW4QN3bBQsgUaspHuWGdF6rwqmIihPUjq07fB6r8jAgMBAAGgggEhMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIH3BgkqhkiG9w0BCQ4xgekwgeYwDgYDVR0PAQEABAQDAgTwMIGBBgNVHREBAQAEdzB1oDEGCisGAQQBgjcUAgOgIwwhSFRUUC9seXJhLmdyZXlvYWsuY29tQEdSRVlPQUsuQ09NoEAGBisGAQUCAqA2MDSgDRsLR1JFWU9BSy5DT02hIzAhoAMCAQGhGjAYGwRIVFRQGxBseXJhLmdyZXlvYWsuY29tMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQ2k1wey/NlwORBA7I+O26IX0WyGTANBgkqhkiG9w0BAQsFAAOCAQEABUStRJyl5DBTpEOdKOXCnhSdRuElwv64XLIX47B1DVsiI9tL806nsLH16XSFIZqo1HWXxDU90/W!
 m!
>>>>>>
> 8!
>>>>>>
>> V!
>>>   P!
>>>>>>
>>>> Z!
>>>>>>
>>>>> gm!
>>>>>>
>>>>>> 3VCtgMvPVk
>>>>>> 3k4qYBz6/2B8PEeQY2/W5CULkfjqJhDxr0qodiYAc8GOyHMDpymfC3+QUIXkmoy94USRS2x8CMvzq8h1tpBPcXAei6waohTJtO33o79iVNbeLIif3RD22dghPx3JvEB4FXWQv6IylXGyJb6NRRneI4R8Ko0xCA9xiyPegfDgiQEUUSCtJ/Qr9/OpytFgrpJHSTd8n9DzLbRO5FQW4yS45A8xp5WkJCU5IslIon6luf9v5eNCVsIp7EPgaQ==',
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> principal=u'HTTP/lyra.greyoak.com at GREYOAK.COM', add=True,
>>>>>> version=u'2.51'): XMLSyntaxError
>>>>>
>>>>> I have never seen this. The error message does not say much... Is
>>>>> there
>>>>> anything interesting in other logs?
>>>>
>>>> I was able to get the CA certificate to be renewed after moving system
>>>> time forward step by step.
>>>>
>>>> One thing I haven't noticed before is that the renewed certificate's
>>>> validity never exceeds that of the original certificate. This is most
>>>> likely Dogtag issue (something along the lines of "certificate validity
>>>> cannot exceed validity of the CA certificate", except it shouldn't
>>>> apply
>>>> to the CA certificate itself).
>>>>
>>>> There were other issues here and there, all of them were caused by race
>>>> conditions between concurrent renewals (unreachable CA, XML syntax
>>>> errors, etc. because Dogtag was stopped by stop_pkicad in another
>>>> request, CMS internal error because it used old subsystem cert to
>>>> authenticate to LDAP while the cert was being renewed, etc.) and all of
>>>> them could be fixed by restarting relevant IPA services and
>>>> resubmitting
>>>> the requests manually. Some synchronization is really missing there.
>>>
>>> I hadn't noticed that, but my CA was issued externally so I expected
>>> this. I also saw the bumps during renewal but things always tended to
>>> smooth out, with the errors generally restricted to restarts and
>>> certmonger. This backtrace was the only thing that really stood out.
>>> IIRC at this point things were pretty much blocked.
>>>
>>> In any case, these patches basically seem to work. I never did work out
>>> whether the above error was due to dogtag, IPA or something else.
>>>
>>> rob
>>
>> Rebased the patches on top of current master.
>>
>> Give up retrieving certificate from LDAP in patch 265 after a few
>> unsuccessful attempts. This is to prevent certmonger requests from
>> staying in CA_WORKING state forever when you manually resubmit a request.
>>
>> Added patch 266 which adds ACIs missing after the permission refactoring.
> 
> Rebased again.
> 
> Converted all permissions to managed permissions.
> 
> Added dependency on certmonger >= 0.74 in patch 251, because CSR export
> is broken with older versions. There is an update to certmonger 0.75.5
> for F20:
> <https://admin.fedoraproject.org/updates/FEDORA-2014-7529/certmonger-0.75.5-1.fc20>.
> (It segfaults for me during server install, I and Nalin are investigating.)
> 

I need a full set of patches, 241-299 from the same tree. Trying to
piece together more than 50 patches from three long threads is proving
impossible.

Provided some feedback on 295-299 in that thread but I can't get much
applied so I can do any functional testing.

rob

More information about the Freeipa-devel mailing list