[Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

Tue Apr 2 13:38:13 UTC 2013

On 04/02/2013 12:06 PM, Petr Viktorin wrote:
> On 04/02/2013 12:05 PM, Petr Viktorin wrote:
>> On 04/02/2013 10:48 AM, Jan Cholasta wrote:
>>> On 29.3.2013 15:31, Petr Viktorin wrote:
>>>> On 03/29/2013 11:20 AM, Jan Cholasta wrote:
>>>>> On 29.3.2013 11:14, Jan Cholasta wrote:
>>>>>> Also I was able to install IPA with revoked certificates, but it
>>>>>> doesn't
>>>>>> seem to break anything - the CRL specified in the certificates' CRL
>>>>>> distribution point is not automatically imported into any of the NSS
>>>>>> databases and when it is imported manually, everything still seems to
>>>>>> work fine. I haven't checked OCSP. Can and/or do we want to do
>>>>>> something
>>>>>> about this?
>>>>>
>>>>> Update: the ipa command does not work:
>>>>>
>>>>> $ ipa host-show $HOSTNAME --all --raw
>>>>> ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
>>>>> ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
>>>>> ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
>>>>> -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
>>>>> revoked.
>>>>
>>>> I think we can live with not checking CRLs now. I haven't found a way to
>>>> download CRLs with certutil or python-nss (short of explicitly examining
>>>> the certs, downloading the CRL and importing it, but I don't think IPA
>>>> is the place for that).
>>>> I've asked John.
>>>
>>> OK, thanks.
>>>
>>>>
>>>>>> Patch 205:
>>>>>>
>>>>>> Can we instead require the PKCS#12 files to always contain the whole
>>>>>> certificate chain? IMO that way it would be more obvious what should
>>>>>> actually be in the files and it would make things easier should there
>>>>>> ever be need for --root-ca-subject.
>>>>
>>>> Not requiring the root CA is a convenient shortcut. It's common to have
>>>> certs signed directly by the CA, and in this case you can use either a
>>>> single-cert PKCS#12 or one with the full chain.
>>>> Actually, originally the full chain was required, and a user already
>>>> complained :)
>>>>
>>>> If we add a new option, we can specify its requirements on the other
>>>> options.
>>>
>>> No problem.
>>>
>>>>
>>>> Adding a new patch for client installation.
>>>>
>>
>> I found one more bug: the replica wasn't setting the ra_plugin option
>> properly, preventing installing a replica of a replica.
>> I squashed the following change into 204:
>>
>> diff --git a/install/tools/ipa-replica-install
>> b/install/tools/ipa-replica-install
>> index 8fce3a8..af80c1e 100755
>> --- a/install/tools/ipa-replica-install
>> +++ b/install/tools/ipa-replica-install
>> @@ -539,6 +539,9 @@ def main():
>>               fd.write("ra_plugin=dogtag\n")
>>               fd.write("dogtag_version=%s\n" %
>>                   dogtag.install_constants.DOGTAG_VERSION)
>> +        else:
>> +            fd.write("enable_ra=False\n")
>> +            fd.write("ra_plugin=none\n")
>>           fd.write("mode=production\n")
>>           fd.close()
>>       finally:
>>
> 
> I forgot to attach the patches; here they are.
> 
>>
>>> This is nothing critical, but I think that make-testcert should check if
>>> dogtag is installed and when it's not, print a message informing the
>>> user that they should issue the test certificate manually and place it
>>> in the appropriate location.
>>>
>>> Besides that, ACK.
>>
>> I'll make another patch so this set is not delayed.
>>
>>> Honza
>>>

ACK for the small diff change. The rest was already reviewed by Jan. Thanks to
both!

Pushed all patches to master.

Martin