[Freeipa-devel] [PATCH] 982 tweak to no_init patch
Rob Crittenden
rcritten at redhat.com
Wed Mar 7 21:50:45 UTC 2012
I discovered today that cert-request was failing with an untrusted CA error.
The problem had to do with the NSS no_init patch. We were setting dbdir
in the connection object too soon so it was comparing itself to itself
and always determined that NSS was initialized just fine. This needs to
be moved after the check.
To test this you need a master, a replica and a client with DNS set up
and SRV records for both servers.
You need two or more servers so we run the ping() test. This is where
the client was failing before. What would happen is this:
- initialize NSS
- run ping() against a server
- prepare request
- initialize NSS
- FAIL
That second initialization isn't needed and is correctly caught by the
code with this patch.
You need to test that a client enrollment works and that ipa
cert-request works.
cert-request was failing because we initialize NSS with nodb so we can
load the CSR for validation. Because dbdir was set too early in the
connection we were getting no_init set improperly and nss_shutdown()
wasn't being called.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-982-noinit.patch
Type: text/x-diff
Size: 2975 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120307/22a2649f/attachment.bin>
More information about the Freeipa-devel
mailing list