[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality

Petr Viktorin pviktori at redhat.com
Mon Apr 15 16:41:20 UTC 2013 

On 04/15/2013 06:08 PM, Martin Kosek wrote:
> On 04/15/2013 03:42 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 04/04/2013 09:14 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> Hello,
>>>>>
>>>>> These patches convert selfsign masters to CA-less on upgrade, and remove
>>>>> all selfsign-related code
>>>>>
>>>>> The files the CA uses are left around for admins to pick up cert
>>>>> management manually. Instructions for that are provided in the design
>>>>> document. They pretty much just document what the selfsign CA did.
>>>>> Removing the automation may seem like a step backwards, but when the
>>>>> steps are just a wiki page, the admins can adjust for their needs (e.g.
>>>>> issue wildcart certs). For an automated solution we have Dogtag.
>>>>>
>>>>> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>>>>>
>>>>> (Note that removing the --selfsign *option*, not functionality, has a
>>>>> separate ticket and design doc.)
>>>>
>>>> As I've been looking at this I'm having some reservations about this. It is
>>>> going to remove functionality from a running server. And once gone I don't
>>>> think one could easily get it back.
>>>>
>>>> I guess I'd be fine deprecating it and no longer providing any support, and
>>>> strongly recommending that people move away from it, but dropping it
>>>> mid-release seems rather strict.
>>>>
>>>> rob
>>>
>>> I am thinking that keeping the nonfunctional selfsign code would rather create
>>> mess, I would personally tend to removing that in 3.2. As this patch also
>>> converts selfsign installations to CA-less, current selfsign installation would
>>> still work - except creating replicas where people would need to generate certs
>>> for the replica.
>>>
>>> I also did not see much resistance or concerns when Petr sent a Heads-up mail
>>> to freeipa-users (but of course, not every our user reads that).
>>> https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html
>>>
>>> Martin
>>>
>>
>> You can also more easily issue server certs for services, and enrolled clients
>> get a server cert.
>>
>> rob
>
> We had a discussion about this topic on a meeting and we have agreed on
> removing the selfsign completely. This will still not be end of  the world for
> users running selfsign servers (if there are any) as they could use the new
> CA-less feature to generate certs for replica or other certs.
>
> Moving to review of this patch.
>
> 1) Upgrade of the actual selfsigned server did not seem to work for me:
>
> selfsigned master broke after I upgraded from 3.1.3 selfsigned server.
>
> # ipa cert-show 1
> ipa: ERROR: an internal error has occurred
>
> httpd's error_log:
> [Mon Apr 15 11:53:15.080995 2013] [:error] [pid 6020] ipa: ERROR: non-public:
> AttributeError:           'NameSpace' object has no attribute 'ra'
> [Mon Apr 15 11:53:15.081047 2013] [:error] [pid 6020] Traceback (most recent
> call last):
> [Mon Apr 15 11:53:15.081053 2013] [:error] [pid 6020]   File
> "/usr/lib/python2.7/site-packages/         ipaserver/rpcserver.py", line 333,
> in wsgi_execute
> [Mon Apr 15 11:53:15.081058 2013] [:error] [pid 6020]     result =
> self.Command[name](*args, **options)
> [Mon Apr 15 11:53:15.081062 2013] [:error] [pid 6020]   File
> "/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 436, in __call__
> [Mon Apr 15 11:53:15.081067 2013] [:error] [pid 6020]     ret = self.run(*args,
> **options)
> [Mon Apr 15 11:53:15.081071 2013] [:error] [pid 6020]   File
> "/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 729, in run
> [Mon Apr 15 11:53:15.081076 2013] [:error] [pid 6020]     result =
> self.execute(*args, **options)
> [Mon Apr 15 11:53:15.081080 2013] [:error] [pid 6020]   File
> "/usr/lib/python2.7/site-packages/ipalib/  plugins/cert.py", line 530, in execute
> [Mon Apr 15 11:53:15.081085 2013] [:error] [pid 6020]
> result=self.Backend.ra.                       get_certificate(serial_number)
> [Mon Apr 15 11:53:15.081089 2013] [:error] [pid 6020] AttributeError:
> 'NameSpace' object has no         attribute 'ra'
>
>
> Maybe the reason is that the selfsign server's default.conf has still enable_ra
> set to "True"?
>
> # cat /etc/ipa/default.conf
> [global]
> host=vm-037.idm.lab.bos.redhat.com
> basedn=dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> realm=IDM.LAB.BOS.REDHAT.COM
> domain=idm.lab.bos.redhat.com
> xmlrpc_uri=https://vm-037.idm.lab.bos.redhat.com/ipa/xml
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
> enable_ra=True
> mode=production
>
>
> 2) Upgrade of a selfsigned replica seemed OK, but I still see its httpd and
> dirsrv certificates being tracked by certmonger, when I list them with
> "ipa-getcert list"...
>
> Martin
>

Thanks for the catch. Here's a fixed version of the patches.


-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0210.2-Uninstall-selfsign-CA-on-upgrade.patch
Type: text/x-patch
Size: 5782 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130415/1e538a28/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0211.2-Remove-obsolete-self-sign-references-from-man-pages-.patch
Type: text/x-patch
Size: 6039 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130415/1e538a28/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0212.2-Drop-selfsign-server-functionality.patch
Type: text/x-patch
Size: 54756 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130415/1e538a28/attachment-0002.bin>

More information about the Freeipa-devel mailing list