<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 02/06/15 14:11, Fraser Tweedale wrote: </div> <blockquote cite="mid:20150602121127.GU23523@dhcp-40-8.bne.redhat.com" type="cite"> <pre wrap="">On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: </pre> <blockquote type="cite"> <pre wrap="">On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: </pre> <blockquote type="cite"> <pre wrap="">On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: </pre> <blockquote type="cite"> <pre wrap="">On 05/29/2015 11:21 AM, Martin Basti wrote: </pre> <blockquote type="cite"> <pre wrap="">On 29/05/15 06:17, Fraser Tweedale wrote: </pre> <blockquote type="cite"> <pre wrap="">On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: </pre> <blockquote type="cite"> <pre wrap="">On 28/05/15 11:48, Martin Basti wrote: </pre> <blockquote type="cite"> <pre wrap="">On 27/05/15 16:04, Fraser Tweedale wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency to 10.2.4-1. Should should be in f22 soon, but for f22 right now or for f21, please grab from my copr: <a class="moz-txt-link-freetext" href="https://copr.fedoraproject.org/coprs/ftweedal/freeipa/">https://copr.fedoraproject.org/coprs/ftweedal/freeipa/</a> Martin^1 could you please add to the quasi-official freeipa copr? SRPM lives at <a class="moz-txt-link-freetext" href="https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm">https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm</a>. - cert-request now verifies that for user principals, CSR CN matches uid and, DN emailAddress and SAN rfc822Name match user's email address, if either of those is present. - Fixed one or two other sneaky little bugs. On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi all, Please find attached the latest certificate management patchset, which introduces the `caacl' plugin and various fixes and improvement to earlier patches. One important change to earlier patches is reverting the name of the default profile to 'caIPAserviceCert' and using the existing instance of this profile on upgrade (but not install) in case it has been modified. Other notes: - Still have changes in ipa-server-install (fewer lines now, though) - Still have the ugly import hack. It is not a high priority for me, i.e. I think it should wait until after alpha - Still need to update 'service' and 'host' plugins to support multiple certificates. (The userCertificate attribute schema itself is multi-valued, so there are no schema issues here) - The TODOs in [1]; mostly certprofile CLI conveniences and supporting multiple profiles for hosts and services (which requires changes to framework only, not schema). [1]: <a class="moz-txt-link-freetext" href="http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress">http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress</a> Happy reviewing! I am pleased with the initial cut of the caacl plugin but I'm sure you will find some things to be fixed :) Cheers, Fraser </pre> </blockquote> </blockquote> <pre wrap="">[root@vm-093 ~]# ipa-replica-prepare vm-094.example.com --ip-address 10.34.78.94 Directory Manager (existing master) password: Preparing replica for vm-094.example.com from vm-093.example.com Creating SSL certificate for the Directory Server not well-formed (invalid token): line 2, column 14 I cannot create replica file. It work on the upgraded server, but it doesn't work on the newly installed server. I'm not sure if this causes your patches which modifies the ca-installer, or the newer version of dogtag. Or if there was any other changes in master, I will continue to investigate with new RPM from master branch. Martin^2 </pre> </blockquote> <pre wrap="">ipa-replica-prepare works for: * master branch * master branch + pki-ca 10.2.4-1 So something in your patches is breaking it Martin^2 </pre> </blockquote> <pre wrap="">Martin, master + my patches with pki 10.2.4-1 is working for me on f21 and f22. Can you provide ipa-replica-prepare --debug output and Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug ) Thanks, Fraser </pre> </blockquote> <pre wrap="">I can not reproduce it today. And I already recycled the VMs from yesterday. :-( </pre> </blockquote> <pre wrap=""> In that case I would suggest ACKing&pushing the patch and fixing the bug if it comes again. The tree may now be a bit unstable, given the number of patches going in. My main motivation here is to unblock Fraser. Thanks, Martin </pre> </blockquote> <pre wrap=""> Rebased patchset attached; no other changes. </pre> </blockquote> <pre wrap=""> Heads up: I just discovered I have introduced a bug with ipa-replica-install, when it is spawning the CA instance. I think replication it only causes issues with ``--setup-ca``. I will try and sort it out tomorrow or later tonight (I have to head out for a few hours now, though); and I'm not suggesting it should block the push but it's something to be aware of. Cheers, Fraser </pre> </blockquote> <pre wrap="">New patchset attached ; haven't gotten to the bottom of the ipa-replica-install issue mentioned above, but it fixes an upgrade bug. The change is: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c288282..c5f4d37 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca): caconfig.CS_CFG_PATH, directive, separator='=') - if value == 'ProfileSubsystem': + if value == 'com.netscape.cmscore.profile.ProfileSubsystem': needs_update = True break except OSError, e: @@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca): installutils.set_directive( caconfig.CS_CFG_PATH, directive, - 'LDAPProfileSubsystem', + 'com.netscape.cmscore.profile.LDAPProfileSubsystem', quotes=False, separator='=') Cheers, Fraser </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> Thank you, 1) ipa-getcert request (getcert -c IPA) doesnt work, Request ID '20150602145845': status: CA_REJECTED ca-error: Server at <a class="moz-txt-link-freetext" href="https://vm-137.example.com/ipa/xml">https://vm-137.example.com/ipa/xml</a> denied our request, giving up: 3007 (RPC failed at server. 'profile_id' is required). 2) Error from rpm install Unexpected error - see /var/log/ipaupgrade.log for details: SkipPluginModule: dogtag not selected as RA plugin Just for record as known issue, this will be fixed later in a new patch. 3) + Str('profile_id', validate_profile_id, + label=_("Profile ID"), + doc=_("Certificate Profile to use"), + ) Please mark this param as optional. ('profile_id?') This will fix issue 1, but 1 will need a option to specify profile_id Also move API related change from patch 9 to patch 11 + increment VERSION 4) * Maybe I do everything wrong :) I'm not able to create certificate stored in FILE, via ipa-getcert request. I'm getting error: status: CA_UNREACHABLE ca-error: Server at <a class="moz-txt-link-freetext" href="https://vm-137.example.com/ipa/xml">https://vm-137.example.com/ipa/xml</a> failed request, will retry: 4001 (RPC failed at server. <a class="moz-txt-link-abbreviated" href="mailto:vm-137.example.com@example.com">vm-137.example.com@example.com</a>: host not found). or error: Request ID '20150602154115': status: CA_REJECTED ca-error: Server at <a class="moz-txt-link-freetext" href="https://vm-137.example.com/ipa/xml">https://vm-137.example.com/ipa/xml</a> denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). (I'm root and kinited as admin) Maybe additional ACI is required for cert_request as it is VirtualCommand <pre class="moz-signature" cols="72">-- Martin Basti</pre> </body> </html>