[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

HonzaCholasta freeipa-github-notification at redhat.com
Tue Jan 3 06:56:45 UTC 2017 

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
* Dogtag certificates and RA certificate renewal is broken:
  ```
  	ca-error: Server at "https://vm-226.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation
  ```
  This is because certmonger's `/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit` expects an `ipaCert` in `/etc/httpd/alias`.

* CA-less server install fails:
  ```
    [13/21]: publish CA cert
    [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/usr/bin/certutil -d /etc/httpd/alias -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
  ```
  ```
  2017-01-03T05:21:43Z DEBUG Starting external process
  2017-01-03T05:21:43Z DEBUG args=/usr/bin/certutil -d /var/lib/ipa/radb -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a
  2017-01-03T05:21:43Z DEBUG Process finished, return code=255
  2017-01-03T05:21:43Z DEBUG stdout=
  2017-01-03T05:21:43Z DEBUG stderr=certutil: Could not find cert: ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA
  : PR_FILE_NOT_FOUND_ERROR: File not found
  ```
  If I work around the above, it fails further down with:
  ```
  trying https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json
  Forwarding 'schema' to json server 'https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json'
  No valid Negotiate header in server response
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Configuration of client side components failed!
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
  ```
"""

See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270059781

More information about the Freeipa-devel mailing list