[Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

Petr Viktorin pviktori at redhat.com
Fri Mar 29 14:31:22 UTC 2013 

Replying to other mail:
 > Patch 197:
 >
 > "We names of files with pkcs12 pins to installers ..."
 >
 > This sentence does not seem right to me.

Fixed

 > Patch 198:
 >
 > +    if setup_ca:
 > +        print "Be sure to back up the CA certificate stored in
 > /etc/httpd/alias/cacert.p12"
 > +        print "The password for this file is in
 > /etc/httpd/alias/pwdfile.txt"
 >
 > This is not the right message. This is the message for --selfsign.

Whoops, fixed

 > Patch 204:
 > +        http_cert_name =check_pkcs12(http_pkcs12_info,
 > ca_file, host_name)
 >
 > Missing space after equal sign.

Fixed

On 03/29/2013 11:20 AM, Jan Cholasta wrote:
> On 29.3.2013 11:14, Jan Cholasta wrote:
>> On 28.3.2013 18:14, Petr Viktorin wrote:
>>> And another update.
>>>
>>> Patch 204: Fix default ID range in ipa-server-install
>>> New patch 206: The host plugin assumed cert-* commands are always
>>> available, and failed when removing/upddating a host because it could
>>> not revoke the certificate. This leaves out the revocation if there's no
>>> CA.
>>>
>>> The tests should pass now.
>>>
>>>
>>> The Web UI currently assumes cert-* commands are always available. I'm
>>> testing a patch from Petr¹ that will fix this.
>>>
>>> Also, clients currently call cert-request via certmonger. This fails. A
>>> patch to not request the host certificate in ipa-client-install is
>>> coming up.
>>> As far as I know, the failing request doesn't hurt anything; old clients
>>> should work fine, certmonger will just spam the syslog.
>>> I'll add steps to remove the request on old clients to the design doc.
>>>
>>
>>
>> Patch 204:
>>
>> All the validation check in ipa-server-install should also be done in
>> ipa-replica-prepare. It is possible to prepare a replica with invalid
>> certificates, which makes ipa-replica-install fail in the middle of the
>> install process.

Moved check_pkcs12 to installutils, calling it from both.
Thanks for the catch!

>> Also I was able to install IPA with revoked certificates, but it doesn't
>> seem to break anything - the CRL specified in the certificates' CRL
>> distribution point is not automatically imported into any of the NSS
>> databases and when it is imported manually, everything still seems to
>> work fine. I haven't checked OCSP. Can and/or do we want to do something
>> about this?
>
> Update: the ipa command does not work:
>
> $ ipa host-show $HOSTNAME --all --raw
> ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
> ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
> ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
> -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.

I think we can live with not checking CRLs now. I haven't found a way to 
download CRLs with certutil or python-nss (short of explicitly examining 
the certs, downloading the CRL and importing it, but I don't think IPA 
is the place for that).
I've asked John.

>> Patch 205:
>>
>> Can we instead require the PKCS#12 files to always contain the whole
>> certificate chain? IMO that way it would be more obvious what should
>> actually be in the files and it would make things easier should there
>> ever be need for --root-ca-subject.

Not requiring the root CA is a convenient shortcut. It's common to have 
certs signed directly by the CA, and in this case you can use either a 
single-cert PKCS#12 or one with the full chain.
Actually, originally the full chain was required, and a user already 
complained :)

If we add a new option, we can specify its requirements on the other 
options.

>> Patch 206:
>>
>> In host_del and host_disable, this doesn't have to be done when
>> enable_ra is False:
>>
>>          try:
>>              (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
>>          except errors.NotFound:
>>              self.obj.handle_not_found(*keys)

In does host_disable, for done_work.
Removed in host_del.

>> In host_disable, I think this should be done even when enable_ra is
>> False:
>>
>>              # Remove the usercertificate altogether
>>              ldap.update_entry(dn, {'usercertificate': None})

Changed.

Adding a new patch for client installation.

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0197.5-ipa-server-install-Make-temporary-pin-files-availabl.patch
Type: text/x-patch
Size: 6417 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0198.5-ipa-server-install-Remove-the-selfsign-option.patch
Type: text/x-patch
Size: 10375 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0200.5-Remove-unused-ipapython.certdb.CertDB-class.patch
Type: text/x-patch
Size: 6266 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0201.5-ipaserver.install.certs-Introduce-NSSDatabase-as-a-m.patch
Type: text/x-patch
Size: 13843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0202.5-Trust-CAs-from-PKCS-12-files-even-if-they-don-t-have.patch
Type: text/x-patch
Size: 1126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0203.5-dsinstance-httpinstance-Don-t-hardcode-Server-Cert.patch
Type: text/x-patch
Size: 5772 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0204.5-Support-installing-with-custom-SSL-certs-without-a-C.patch
Type: text/x-patch
Size: 22742 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0205.5-Load-the-CA-cert-into-server-NSS-databases.patch
Type: text/x-patch
Size: 11090 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0206.5-Do-not-call-cert-commands-in-host-plugin-if-a-RA-is-.patch
Type: text/x-patch
Size: 10403 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0207.5-ipa-client-install-Do-not-request-host-certificate-i.patch
Type: text/x-patch
Size: 3996 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/b3115856/attachment-0009.bin>

More information about the Freeipa-devel mailing list