[Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs

Jan Cholasta jcholast at redhat.com
Fri Mar 29 10:20:17 UTC 2013 

On 29.3.2013 11:14, Jan Cholasta wrote:
> On 28.3.2013 18:14, Petr Viktorin wrote:
>> And another update.
>>
>> Patch 204: Fix default ID range in ipa-server-install
>> New patch 206: The host plugin assumed cert-* commands are always
>> available, and failed when removing/upddating a host because it could
>> not revoke the certificate. This leaves out the revocation if there's no
>> CA.
>>
>> The tests should pass now.
>>
>>
>> The Web UI currently assumes cert-* commands are always available. I'm
>> testing a patch from Petr¹ that will fix this.
>>
>> Also, clients currently call cert-request via certmonger. This fails. A
>> patch to not request the host certificate in ipa-client-install is
>> coming up.
>> As far as I know, the failing request doesn't hurt anything; old clients
>> should work fine, certmonger will just spam the syslog.
>> I'll add steps to remove the request on old clients to the design doc.
>>
>
>
> Patch 204:
>
> All the validation check in ipa-server-install should also be done in
> ipa-replica-prepare. It is possible to prepare a replica with invalid
> certificates, which makes ipa-replica-install fail in the middle of the
> install process.
>
> Also I was able to install IPA with revoked certificates, but it doesn't
> seem to break anything - the CRL specified in the certificates' CRL
> distribution point is not automatically imported into any of the NSS
> databases and when it is imported manually, everything still seems to
> work fine. I haven't checked OCSP. Can and/or do we want to do something
> about this?

Update: the ipa command does not work:

$ ipa host-show $HOSTNAME --all --raw
ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example" 
((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno 
-8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.

>
>
> Patch 205:
>
> Can we instead require the PKCS#12 files to always contain the whole
> certificate chain? IMO that way it would be more obvious what should
> actually be in the files and it would make things easier should there
> ever be need for --root-ca-subject.
>
>
> Patch 206:
>
> In host_del and host_disable, this doesn't have to be done when
> enable_ra is False:
>
>          try:
>              (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
>          except errors.NotFound:
>              self.obj.handle_not_found(*keys)
>
> In host_disable, I think this should be done even when enable_ra is False:
>
>              # Remove the usercertificate altogether
>              ldap.update_entry(dn, {'usercertificate': None})
>
>
> Honza
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list