[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality

Rob Crittenden rcritten at redhat.com
Mon Apr 15 20:57:14 UTC 2013 

Petr Viktorin wrote:
> On 04/15/2013 06:08 PM, Martin Kosek wrote:
>> On 04/15/2013 03:42 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 04/04/2013 09:14 PM, Rob Crittenden wrote:
>>>>> Petr Viktorin wrote:
>>>>>> Hello,
>>>>>>
>>>>>> These patches convert selfsign masters to CA-less on upgrade, and
>>>>>> remove
>>>>>> all selfsign-related code
>>>>>>
>>>>>> The files the CA uses are left around for admins to pick up cert
>>>>>> management manually. Instructions for that are provided in the design
>>>>>> document. They pretty much just document what the selfsign CA did.
>>>>>> Removing the automation may seem like a step backwards, but when the
>>>>>> steps are just a wiki page, the admins can adjust for their needs
>>>>>> (e.g.
>>>>>> issue wildcart certs). For an automated solution we have Dogtag.
>>>>>>
>>>>>> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>>>>>>
>>>>>> (Note that removing the --selfsign *option*, not functionality, has a
>>>>>> separate ticket and design doc.)
>>>>>
>>>>> As I've been looking at this I'm having some reservations about
>>>>> this. It is
>>>>> going to remove functionality from a running server. And once gone
>>>>> I don't
>>>>> think one could easily get it back.
>>>>>
>>>>> I guess I'd be fine deprecating it and no longer providing any
>>>>> support, and
>>>>> strongly recommending that people move away from it, but dropping it
>>>>> mid-release seems rather strict.
>>>>>
>>>>> rob
>>>>
>>>> I am thinking that keeping the nonfunctional selfsign code would
>>>> rather create
>>>> mess, I would personally tend to removing that in 3.2. As this patch
>>>> also
>>>> converts selfsign installations to CA-less, current selfsign
>>>> installation would
>>>> still work - except creating replicas where people would need to
>>>> generate certs
>>>> for the replica.
>>>>
>>>> I also did not see much resistance or concerns when Petr sent a
>>>> Heads-up mail
>>>> to freeipa-users (but of course, not every our user reads that).
>>>> https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html
>>>>
>>>> Martin
>>>>
>>>
>>> You can also more easily issue server certs for services, and
>>> enrolled clients
>>> get a server cert.
>>>
>>> rob
>>
>> We had a discussion about this topic on a meeting and we have agreed on
>> removing the selfsign completely. This will still not be end of  the
>> world for
>> users running selfsign servers (if there are any) as they could use
>> the new
>> CA-less feature to generate certs for replica or other certs.
>>
>> Moving to review of this patch.
>>
>> 1) Upgrade of the actual selfsigned server did not seem to work for me:
>>
>> selfsigned master broke after I upgraded from 3.1.3 selfsigned server.
>>
>> # ipa cert-show 1
>> ipa: ERROR: an internal error has occurred
>>
>> httpd's error_log:
>> [Mon Apr 15 11:53:15.080995 2013] [:error] [pid 6020] ipa: ERROR:
>> non-public:
>> AttributeError:           'NameSpace' object has no attribute 'ra'
>> [Mon Apr 15 11:53:15.081047 2013] [:error] [pid 6020] Traceback (most
>> recent
>> call last):
>> [Mon Apr 15 11:53:15.081053 2013] [:error] [pid 6020]   File
>> "/usr/lib/python2.7/site-packages/         ipaserver/rpcserver.py",
>> line 333,
>> in wsgi_execute
>> [Mon Apr 15 11:53:15.081058 2013] [:error] [pid 6020]     result =
>> self.Command[name](*args, **options)
>> [Mon Apr 15 11:53:15.081062 2013] [:error] [pid 6020]   File
>> "/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 436, in
>> __call__
>> [Mon Apr 15 11:53:15.081067 2013] [:error] [pid 6020]     ret =
>> self.run(*args,
>> **options)
>> [Mon Apr 15 11:53:15.081071 2013] [:error] [pid 6020]   File
>> "/usr/lib/python2.7/site-packages/ipalib/  frontend.py", line 729, in run
>> [Mon Apr 15 11:53:15.081076 2013] [:error] [pid 6020]     result =
>> self.execute(*args, **options)
>> [Mon Apr 15 11:53:15.081080 2013] [:error] [pid 6020]   File
>> "/usr/lib/python2.7/site-packages/ipalib/  plugins/cert.py", line 530,
>> in execute
>> [Mon Apr 15 11:53:15.081085 2013] [:error] [pid 6020]
>> result=self.Backend.ra.
>> get_certificate(serial_number)
>> [Mon Apr 15 11:53:15.081089 2013] [:error] [pid 6020] AttributeError:
>> 'NameSpace' object has no         attribute 'ra'
>>
>>
>> Maybe the reason is that the selfsign server's default.conf has still
>> enable_ra
>> set to "True"?
>>
>> # cat /etc/ipa/default.conf
>> [global]
>> host=vm-037.idm.lab.bos.redhat.com
>> basedn=dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> realm=IDM.LAB.BOS.REDHAT.COM
>> domain=idm.lab.bos.redhat.com
>> xmlrpc_uri=https://vm-037.idm.lab.bos.redhat.com/ipa/xml
>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
>> enable_ra=True
>> mode=production
>>
>>
>> 2) Upgrade of a selfsigned replica seemed OK, but I still see its
>> httpd and
>> dirsrv certificates being tracked by certmonger, when I list them with
>> "ipa-getcert list"...
>>
>> Martin
>>
>
> Thanks for the catch. Here's a fixed version of the patches.

ACK, pushed to master

rob

More information about the Freeipa-devel mailing list