[Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs
Fraser Tweedale
ftweedal at redhat.com
Mon Jun 13 16:19:27 UTC 2016
On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote:
> > > >
> > > > Hi Fraser,
> > > >
> > > > during functional review I found the following issues:
> > > >
> > > > 1.)
> > > >
> > > > If I create a CAACL rule tied to a specific sub-CA let's say for user
> > > > certificate issuance:
> > > >
> > > > """
> > > > ipa caacl-show user_cert_issuance
> > > > Enabled: TRUE
> > > > User category: all
> > > > CAs: user_sub_ca
> > > > Profiles: caIPAuserCert
> > > > ACL name: user_cert_issuance
> > > >
> > > > """
> > > >
> > > > I can still happily request certificate for a user using root-CA:
> > > >
> > > > """
> > > > ipa cert-request cert.csr --principal jdoe --ca ipa
> > > > Certificate: MIID9j.../Ov8mkjFA==
> > > > Subject: CN=jdoe,O=IPA.TEST
> > > > Issuer: CN=Certificate Authority,O=IPA.TEST
> > > > ...
> > > > """
> > > >
> > > > should not this be denied by CA-ACL rule?
> > > >
> > > > The default IPA CAACL rule is like this:
> > > >
> > > > """
> > > > ipa caacl-show hosts_services_caIPAserviceCert
> > > > Enabled: TRUE
> > > > Host category: all
> > > > Service category: all
> > > > Profiles: caIPAserviceCert
> > > > ACL name: hosts_services_caIPAserviceCert
> > > >
> > > > """
> > > >
> > > > so the default rule should not allow users to request certs at all.
> > > >
> > > Yes, these should be denied. Looking into it.
> > >
> > Were you using 'admin' account to request the cert? admin has
> > permission 'Request Certificate ignoring CA ACLs' via the
> > 'Certificate Manager' privilege.
> >
> > If so, please try again with less privileges (e.g. self-service as
> > jdoe).
> >
>
> You were right when I was requesting certs as user principals themselves
> everything worked as expected.
>
> Regarding usb-CAs not present on replica, both machines run the following
> version of dogtag CA:
>
> pki-ca-10.3.2-3.fc24.noarch
>
> Here are the last 256 lines of the debug log:
>
> http://paste.fedoraproject.org/378512/65828332
>
Thanks for that. It seems there are two issues. The first one is:
Unable to read key retriever class from CS.cfg: Property
features.authority.keyRetrieverClass missing value
This happens only on replica, until the first restart of Dogtag
after installation. I have attached a patch to fix it.
The second issue is:
Failed to update certificate
<stack trace>
This needs to be fixed in Dogtag, however, the error is not
triggered if the key retrieval succeeds when the replica first
observes the addition of a new CA. The attached patch does help in
this regard, so apply it and I hope it will see you through the rest
of the functional testing of my patches... I hope.
Thank you for testing!
Cheers,
Fraser
-------------- next part --------------
From 0eb877bd715033538b0cf3ef724d62c6b20d273f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 14 Jun 2016 01:22:41 +1000
Subject: [PATCH] replica-install: configure key retriever before starting
Dogtag
After installing a replica, Dogtag's Lightweight CA key retrieval
fails until Dogtag is restarted, because the already-running
instance doesn't pick up the changes to CS.cfg. Configure the key
retriever before the instance is started.
Part of: https://fedorahosted.org/freeipa/ticket/4559
---
ipaserver/install/cainstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c7f3116f62ce1158a04af23f29439c4a1d1a102f..8dfb71528d2dc020e05ccd7ff42199218a1c0839 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1344,6 +1344,8 @@ class CAInstance(DogtagInstance):
self.enable_pkix)
self.step("set up client auth to db", self.__client_auth_to_db)
self.step("destroying installation admin user", self.teardown_admin)
+ self.step("Configure lightweight CA key retrieval",
+ self.setup_lightweight_ca_key_retrieval)
self.step("starting instance", self.start_instance)
self.step("importing CA chain to RA certificate database",
@@ -1362,8 +1364,6 @@ class CAInstance(DogtagInstance):
self.step("updating IPA configuration", update_ipa_conf)
self.step("Restart HTTP server to pick up changes",
self.__restart_http_instance)
- self.step("Configure lightweight CA key retrieval",
- self.setup_lightweight_ca_key_retrieval)
self.step("enabling CA instance", self.__enable_instance)
--
2.5.5
More information about the Freeipa-devel
mailing list