[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality

Martin Kosek mkosek at redhat.com
Mon Apr 15 16:08:14 UTC 2013 

On 04/15/2013 03:42 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 04/04/2013 09:14 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> Hello,
>>>>
>>>> These patches convert selfsign masters to CA-less on upgrade, and remove
>>>> all selfsign-related code
>>>>
>>>> The files the CA uses are left around for admins to pick up cert
>>>> management manually. Instructions for that are provided in the design
>>>> document. They pretty much just document what the selfsign CA did.
>>>> Removing the automation may seem like a step backwards, but when the
>>>> steps are just a wiki page, the admins can adjust for their needs (e.g.
>>>> issue wildcart certs). For an automated solution we have Dogtag.
>>>>
>>>> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
>>>> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>>>>
>>>> (Note that removing the --selfsign *option*, not functionality, has a
>>>> separate ticket and design doc.)
>>>
>>> As I've been looking at this I'm having some reservations about this. It is
>>> going to remove functionality from a running server. And once gone I don't
>>> think one could easily get it back.
>>>
>>> I guess I'd be fine deprecating it and no longer providing any support, and
>>> strongly recommending that people move away from it, but dropping it
>>> mid-release seems rather strict.
>>>
>>> rob
>>
>> I am thinking that keeping the nonfunctional selfsign code would rather create
>> mess, I would personally tend to removing that in 3.2. As this patch also
>> converts selfsign installations to CA-less, current selfsign installation would
>> still work - except creating replicas where people would need to generate certs
>> for the replica.
>>
>> I also did not see much resistance or concerns when Petr sent a Heads-up mail
>> to freeipa-users (but of course, not every our user reads that).
>> https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html
>>
>> Martin
>>
> 
> You can also more easily issue server certs for services, and enrolled clients
> get a server cert.
> 
> rob

We had a discussion about this topic on a meeting and we have agreed on
removing the selfsign completely. This will still not be end of  the world for
users running selfsign servers (if there are any) as they could use the new
CA-less feature to generate certs for replica or other certs.

Moving to review of this patch.

1) Upgrade of the actual selfsigned server did not seem to work for me:

selfsigned master broke after I upgraded from 3.1.3 selfsigned server.

# ipa cert-show 1
ipa: ERROR: an internal error has occurred

httpd's error_log:
[Mon Apr 15 11:53:15.080995 2013] [:error] [pid 6020] ipa: ERROR: non-public:
AttributeError:           'NameSpace' object has no attribute 'ra'
[Mon Apr 15 11:53:15.081047 2013] [:error] [pid 6020] Traceback (most recent
call last):
[Mon Apr 15 11:53:15.081053 2013] [:error] [pid 6020]   File
"/usr/lib/python2.7/site-packages/         ipaserver/rpcserver.py", line 333,
in wsgi_execute
[Mon Apr 15 11:53:15.081058 2013] [:error] [pid 6020]     result =
self.Command[name](*args, **options)
[Mon Apr 15 11:53:15.081062 2013] [:error] [pid 6020]   File
"/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 436, in __call__
[Mon Apr 15 11:53:15.081067 2013] [:error] [pid 6020]     ret = self.run(*args,
**options)
[Mon Apr 15 11:53:15.081071 2013] [:error] [pid 6020]   File
"/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 729, in run
[Mon Apr 15 11:53:15.081076 2013] [:error] [pid 6020]     result =
self.execute(*args, **options)
[Mon Apr 15 11:53:15.081080 2013] [:error] [pid 6020]   File
"/usr/lib/python2.7/site-packages/ipalib/  plugins/cert.py", line 530, in execute
[Mon Apr 15 11:53:15.081085 2013] [:error] [pid 6020]
result=self.Backend.ra.                       get_certificate(serial_number)
[Mon Apr 15 11:53:15.081089 2013] [:error] [pid 6020] AttributeError:
'NameSpace' object has no         attribute 'ra'


Maybe the reason is that the selfsign server's default.conf has still enable_ra
set to "True"?

# cat /etc/ipa/default.conf
[global]
host=vm-037.idm.lab.bos.redhat.com
basedn=dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
realm=IDM.LAB.BOS.REDHAT.COM
domain=idm.lab.bos.redhat.com
xmlrpc_uri=https://vm-037.idm.lab.bos.redhat.com/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
enable_ra=True
mode=production


2) Upgrade of a selfsigned replica seemed OK, but I still see its httpd and
dirsrv certificates being tracked by certmonger, when I list them with
"ipa-getcert list"...

Martin

More information about the Freeipa-devel mailing list