[Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs

Jan Cholasta jcholast at redhat.com
Fri Mar 29 10:14:06 UTC 2013 

On 28.3.2013 18:14, Petr Viktorin wrote:
> And another update.
>
> Patch 204: Fix default ID range in ipa-server-install
> New patch 206: The host plugin assumed cert-* commands are always
> available, and failed when removing/upddating a host because it could
> not revoke the certificate. This leaves out the revocation if there's no
> CA.
>
> The tests should pass now.
>
>
> The Web UI currently assumes cert-* commands are always available. I'm
> testing a patch from Petr¹ that will fix this.
>
> Also, clients currently call cert-request via certmonger. This fails. A
> patch to not request the host certificate in ipa-client-install is
> coming up.
> As far as I know, the failing request doesn't hurt anything; old clients
> should work fine, certmonger will just spam the syslog.
> I'll add steps to remove the request on old clients to the design doc.
>


Patch 204:

All the validation check in ipa-server-install should also be done in 
ipa-replica-prepare. It is possible to prepare a replica with invalid 
certificates, which makes ipa-replica-install fail in the middle of the 
install process.

Also I was able to install IPA with revoked certificates, but it doesn't 
seem to break anything - the CRL specified in the certificates' CRL 
distribution point is not automatically imported into any of the NSS 
databases and when it is imported manually, everything still seems to 
work fine. I haven't checked OCSP. Can and/or do we want to do something 
about this?


Patch 205:

Can we instead require the PKCS#12 files to always contain the whole 
certificate chain? IMO that way it would be more obvious what should 
actually be in the files and it would make things easier should there 
ever be need for --root-ca-subject.


Patch 206:

In host_del and host_disable, this doesn't have to be done when 
enable_ra is False:

         try:
             (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
         except errors.NotFound:
             self.obj.handle_not_found(*keys)

In host_disable, I think this should be done even when enable_ra is False:

             # Remove the usercertificate altogether
             ldap.update_entry(dn, {'usercertificate': None})


Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list