[Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

Petr Viktorin pviktori at redhat.com
Tue Apr 2 10:05:35 UTC 2013 

On 04/02/2013 10:48 AM, Jan Cholasta wrote:
> On 29.3.2013 15:31, Petr Viktorin wrote:
>> On 03/29/2013 11:20 AM, Jan Cholasta wrote:
>>> On 29.3.2013 11:14, Jan Cholasta wrote:
>>>> Also I was able to install IPA with revoked certificates, but it
>>>> doesn't
>>>> seem to break anything - the CRL specified in the certificates' CRL
>>>> distribution point is not automatically imported into any of the NSS
>>>> databases and when it is imported manually, everything still seems to
>>>> work fine. I haven't checked OCSP. Can and/or do we want to do
>>>> something
>>>> about this?
>>>
>>> Update: the ipa command does not work:
>>>
>>> $ ipa host-show $HOSTNAME --all --raw
>>> ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
>>> ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
>>> ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
>>> -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
>>> revoked.
>>
>> I think we can live with not checking CRLs now. I haven't found a way to
>> download CRLs with certutil or python-nss (short of explicitly examining
>> the certs, downloading the CRL and importing it, but I don't think IPA
>> is the place for that).
>> I've asked John.
>
> OK, thanks.
>
>>
>>>> Patch 205:
>>>>
>>>> Can we instead require the PKCS#12 files to always contain the whole
>>>> certificate chain? IMO that way it would be more obvious what should
>>>> actually be in the files and it would make things easier should there
>>>> ever be need for --root-ca-subject.
>>
>> Not requiring the root CA is a convenient shortcut. It's common to have
>> certs signed directly by the CA, and in this case you can use either a
>> single-cert PKCS#12 or one with the full chain.
>> Actually, originally the full chain was required, and a user already
>> complained :)
>>
>> If we add a new option, we can specify its requirements on the other
>> options.
>
> No problem.
>
>>
>> Adding a new patch for client installation.
>>

I found one more bug: the replica wasn't setting the ra_plugin option 
properly, preventing installing a replica of a replica.
I squashed the following change into 204:

diff --git a/install/tools/ipa-replica-install 
b/install/tools/ipa-replica-install
index 8fce3a8..af80c1e 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -539,6 +539,9 @@ def main():
              fd.write("ra_plugin=dogtag\n")
              fd.write("dogtag_version=%s\n" %
                  dogtag.install_constants.DOGTAG_VERSION)
+        else:
+            fd.write("enable_ra=False\n")
+            fd.write("ra_plugin=none\n")
          fd.write("mode=production\n")
          fd.close()
      finally:


> This is nothing critical, but I think that make-testcert should check if
> dogtag is installed and when it's not, print a message informing the
> user that they should issue the test certificate manually and place it
> in the appropriate location.
>
> Besides that, ACK.

I'll make another patch so this set is not delayed.

> Honza
>


-- 
Petr³

More information about the Freeipa-devel mailing list