[Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

Fraser Tweedale ftweedal at redhat.com
Mon Jun 13 16:19:27 UTC 2016 

On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote:
> > > > 
> > > > Hi Fraser,
> > > > 
> > > > during functional review I found the following issues:
> > > > 
> > > > 1.)
> > > > 
> > > > If I create a CAACL rule tied to a specific sub-CA let's say for user
> > > > certificate issuance:
> > > > 
> > > > """
> > > > ipa caacl-show user_cert_issuance
> > > >   Enabled: TRUE
> > > >   User category: all
> > > >   CAs: user_sub_ca
> > > >   Profiles: caIPAuserCert
> > > >   ACL name: user_cert_issuance
> > > > 
> > > > """
> > > > 
> > > > I can still happily request certificate for a user using root-CA:
> > > > 
> > > > """
> > > >  ipa cert-request cert.csr --principal jdoe --ca ipa
> > > >   Certificate: MIID9j.../Ov8mkjFA==
> > > >   Subject: CN=jdoe,O=IPA.TEST
> > > >   Issuer: CN=Certificate Authority,O=IPA.TEST
> > > >   ...
> > > > """
> > > > 
> > > > should not this be denied by CA-ACL rule?
> > > > 
> > > > The default IPA CAACL rule is like this:
> > > > 
> > > > """
> > > > ipa caacl-show hosts_services_caIPAserviceCert
> > > >   Enabled: TRUE
> > > >   Host category: all
> > > >   Service category: all
> > > >   Profiles: caIPAserviceCert
> > > >   ACL name: hosts_services_caIPAserviceCert
> > > > 
> > > > """
> > > > 
> > > > so the default rule should not allow users to request certs at all.
> > > > 
> > > Yes, these should be denied.  Looking into it.
> > > 
> > Were you using 'admin' account to request the cert?  admin has
> > permission 'Request Certificate ignoring CA ACLs' via the
> > 'Certificate Manager' privilege.
> > 
> > If so, please try again with less privileges (e.g. self-service as
> > jdoe).
> > 
> 
> You were right when I was requesting certs as user principals themselves
> everything worked as expected.
> 
> Regarding usb-CAs not present on replica, both machines run the following
> version of dogtag CA:
> 
> pki-ca-10.3.2-3.fc24.noarch
> 
> Here are the last 256 lines of the debug log:
> 
> http://paste.fedoraproject.org/378512/65828332
> 
Thanks for that.  It seems there are two issues.  The first one is:

    Unable to read key retriever class from CS.cfg: Property
    features.authority.keyRetrieverClass missing value

This happens only on replica, until the first restart of Dogtag
after installation.  I have attached a patch to fix it.

The second issue is:

    Failed to update certificate
      <stack trace>

This needs to be fixed in Dogtag, however, the error is not
triggered if the key retrieval succeeds when the replica first
observes the addition of a new CA.  The attached patch does help in
this regard, so apply it and I hope it will see you through the rest
of the functional testing of my patches... I hope.

Thank you for testing!

Cheers,
Fraser
-------------- next part --------------
From 0eb877bd715033538b0cf3ef724d62c6b20d273f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 14 Jun 2016 01:22:41 +1000
Subject: [PATCH] replica-install: configure key retriever before starting
 Dogtag

After installing a replica, Dogtag's Lightweight CA key retrieval
fails until Dogtag is restarted, because the already-running
instance doesn't pick up the changes to CS.cfg.  Configure the key
retriever before the instance is started.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipaserver/install/cainstance.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c7f3116f62ce1158a04af23f29439c4a1d1a102f..8dfb71528d2dc020e05ccd7ff42199218a1c0839 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1344,6 +1344,8 @@ class CAInstance(DogtagInstance):
                   self.enable_pkix)
         self.step("set up client auth to db", self.__client_auth_to_db)
         self.step("destroying installation admin user", self.teardown_admin)
+        self.step("Configure lightweight CA key retrieval",
+                  self.setup_lightweight_ca_key_retrieval)
         self.step("starting instance", self.start_instance)
 
         self.step("importing CA chain to RA certificate database",
@@ -1362,8 +1364,6 @@ class CAInstance(DogtagInstance):
         self.step("updating IPA configuration", update_ipa_conf)
         self.step("Restart HTTP server to pick up changes",
                   self.__restart_http_instance)
-        self.step("Configure lightweight CA key retrieval",
-                  self.setup_lightweight_ca_key_retrieval)
 
         self.step("enabling CA instance", self.__enable_instance)
 
-- 
2.5.5

More information about the Freeipa-devel mailing list