[Freeipa-devel] [PATCH] 982 tweak to no_init patch
Martin Kosek
mkosek at redhat.com
Tue Mar 13 09:57:51 UTC 2012
On Wed, 2012-03-07 at 16:50 -0500, Rob Crittenden wrote:
> I discovered today that cert-request was failing with an untrusted CA error.
>
> The problem had to do with the NSS no_init patch. We were setting dbdir
> in the connection object too soon so it was comparing itself to itself
> and always determined that NSS was initialized just fine. This needs to
> be moved after the check.
>
> To test this you need a master, a replica and a client with DNS set up
> and SRV records for both servers.
>
> You need two or more servers so we run the ping() test. This is where
> the client was failing before. What would happen is this:
>
> - initialize NSS
> - run ping() against a server
> - prepare request
> - initialize NSS
> - FAIL
>
> That second initialization isn't needed and is correctly caught by the
> code with this patch.
>
> You need to test that a client enrollment works and that ipa
> cert-request works.
>
> cert-request was failing because we initialize NSS with nodb so we can
> load the CSR for validation. Because dbdir was set too early in the
> connection we were getting no_init set improperly and nss_shutdown()
> wasn't being called.
>
> rob
Works for me, ACK.
Please enhance testing instructions in the ticket. I had some issues
reproducing the problem myself, but your advice sent off-list helped me.
This should be enough.
Martin
More information about the Freeipa-devel
mailing list