[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Jan Cholasta
jcholast at redhat.com
Thu Apr 10 14:52:23 UTC 2014
On 7.4.2014 20:09, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches implement automatic CA certificate renewal as well
>>> as the initial version of the CA certificate management tool.
>>>
>>> Requires my patches 172-196.
>>>
>>> In order to test, you must install current git version of certmonger
>>> (see <https://fedorahosted.org/certmonger/ticket/26>) and set SELinux to
>>> permissive (see <https://bugzilla.redhat.com/show_bug.cgi?id=1078783>).
>>> Make sure you install certmonger before running
>>> ipa-server-install/ipa-replica-install. On F20 you can use RPMs located
>>> at <http://jcholast.fedorapeople.org/certmonger-git/>.
>>>
>>> To test automatic renewal, move system time forward (see
>>> <https://fedorahosted.org/freeipa/ticket/2803#comment:17> for more info
>>> about certificate renewal testing, nickname of the CA certificate is
>>> "caSigningCert cert-pki-ca"). In CA-full installs the renewal should be
>>> fully automatic, in CA-less installs you should be alerted via syslog to
>>> renew the certificate using ipa-cacert-manage.
>>>
>>> To test manual renewal, run "ipa-cacert-manage renew". You can run it on
>>> any CA master. To make the renewed certificate available on other CA
>>> masters, you must run "getcert resubmit -d /etc/pki/pki-tomcat/alias -n
>>> 'caSigningCert cert-pki-ca'" on each of them. Note that currently you
>>> can't change the chaining of the CA certificate.
>>
>> 241
>>
>> Not to be too anal, but would it be too outlandish to compare the
>> Authority Key Identifier (if there is one) with the Subject Key ID to
>> see if the cert is self-signed? Same subject then yeah, it is probably
>> self-signed. The keys match? Definitely.
Authority key identifier is not mandatory, so it's not good enough. You
could verify the certificate's signature with its public key, but I
haven't figured out how to do that in python-nss.
Also, if someone uses the subject name of the issuer for their CA
certificate, I think they will run into all kinds of problems anyway.
>>
>> 242
>>
>> I wonder if it would be clearer to use variables instead of a raw list
>> in the return value for these handlers: (result, message) = handler(...)
>> rather than examining result[0], etc. That may be beyond the scope of
>> this patch though.
Yes. It would be nice if certmonger included a Python module for helper
scripts...
>>
>> x509.normalize_certificate() can raise an exception, there should be a
>> try/except around it.
If there is an exception, it will be caught in the try/except block at
the end of the script.
>>
>> For an invalid cookie, please include the values seen in the environment
>> in the error message.
Added.
>>
>> 243
>>
>> You are going to end up with a lot of acis with the same comment value.
>> Perhaps add the host in there as well.
>>
>> These are not removed when a master is deleted.
I merely did the same thing as the "Add CA Certificates for renewals"
and "Modify CA Certificates for renewals" ACIs.
I agree it's suboptimal, but IMO it should be fixed in the scope of
<https://fedorahosted.org/freeipa/ticket/3416> (the "ipa masters
hostgroup" part).
>>
>> 244
>>
>> There are now several different places where the caCertificate value is
>> updated. I wonder if it's time for a function. I found it it in
>> dsinstance.py, upload_cacert and now renew_ca_cert.
I have a patch for that, but I haven't posted it yet, since there are
some other changes in it as well.
>>
>> 246
>>
>> caRenewalMaster should be checked when a replica is deleted and moved to
>> another master. This is a good idea. I wonder if a ticket should be
>> opened to do something similar for CRL generation.
Add new patch 262 for this.
+1 on doing the same for CRL generation.
>>
>> 247
>>
>> We've been burned by hardcoded timeouts in the past. Should this be
>> configurable? This module doesn't currently do any logging but it might
>> be worth spitting out a "waiting" message, at least for debugging.
Added a timeout argument.
I had logging in the code before, but I removed it when I moved the code
to ipapython.certmonger. Silly me. Fixed.
>>
>> 249
>>
>> nss_init() is always scary to me since we can only have one. I didn't
>> see anything blow up, just wondering if this should be wrapped with an
>> is_initialized()->shutdown() at the top.
Fixed (also for verify_server_cert_validity).
>>
>> The find_cert_from_nickname() should be in a try/except in case the cert
>> is not found for some reason.
I want the exception to be propagated to the caller in such case.
>>
>> 251
>>
>> The tool should provide some feedback while it's running. For the
>> impatient (me) it takes a really long time and it's hard to know what is
>> going on, something in between nothing and full debug output.
Added some messages about what's going on.
>>
>> The man page needs some more work too. I think some more explanation is
>> needed and an example would probably be really helpful as well. I think
>> particularly an example for external certs and a description of what you
>> mean by Self-signed CA (I assume you mean IPA-provided). I don't think
>> it really matters how many steps there are unless you are going to
>> provide progress output.
Reworded the man page a little bit.
>>
>> Got a backtrace when running as non-root:
>>
>> $ ipa-cacert-manage -v renew
>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 168, in
>> execute
>> self.validate_options()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
>>
>> line 62, in validate_options
>> super(CACertManage, self).validate_options(needs_root=True)
>> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>> 189, in validate_options
>> raise ScriptError('Must be root to run %s' % self.command_name, 1)
>>
>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
>> ipa-cacert-manage command failed, exception: ScriptError: Must be root
>> to run ipa-cacert-manage
>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be
>> root to run ipa-cacert-manage
That's correct, you can run it only as root, because you can't resubmit
certmonger requests as a regular user.
>>
>> 252
>>
>> In what context would this be executing? My guess is that certmonger is
>> trying to do the renewal but a new cert hasn't been issued yet, so this
>> gets sysloged?
If you have an externally signed CA that's about to expire and the
renewed version of it is not available in LDAP, then the message gets
syslogged.
>>
>> Still doing functional testing.
>
> My current scenario:
>
> 1. Newly installed IPA master with these patches.
> 2. Replica using IPA 3.3.4 (yeah, I cheated)
>
> While doing time travel I had a single cert fail on the initial master
> with this:
>
> ca-error: Server at https://lyra.example.com/ipa/xml failed
> request, will retry: 4204 (RPC failed at server. limits exceeded for
> this query).
>
> Mar 21 11:00:22 lyra ns-slapd: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Cannot contact any KDC for
> realm 'EXAMPLE.COM')
> Mar 21 11:00:22 lyra certmonger: 2016-03-21 11:00:22 [28676] Server at
> https://lyra.example.com/ipa/xml failed request, will retry: 4204 (RPC
> failed at server. limits exceeded for this query).
>
> From the access log:
>
> [21/Mar/2016:11:00:21 -0400] conn=49 op=5 SRCH
> base="krbprincipalname=HTTP/lyra.example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com"
> scope=0 filter="(objectClass=*)" attrs="userCertificate krbPrincipalName
> * ipaKrbAuthzData managedBy aci"
> [21/Mar/2016:11:00:21 -0400] conn=49 op=5 RESULT err=3 tag=101
> nentries=0 etime=17
>
> So yeah, 17 seconds is a long time.
>
> A resubmit fixed it and certmonger would have done this automatically if
> I had the patience, so not too worried about that.
OK.
>
> After moving time forward on the replica these certificates are in
> CA_WORKING:
>
> ipaCert
> auditSigningCert cert-pki-ca
> ocspSigningCert cert-pki-ca
> subsystemCert cert-pki-ca
>
> cn=ca_renewal is completely empty on the replica. On the master it only
> has the subsystemCert. I'm guessing this is at least partly due to my
> switching time one system at a time rather than (somewhat)
> simultaneously, but it still would have blown up with 3 missing certs.
Can you post the related log messages from /var/log/messages from the
master somewhere?
There's not much I can do about broken replication. I think you hit
<https://fedorahosted.org/389/ticket/47632>.
>
> rob
Thanks for the review.
Updated and rebased patches attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-241.1-Add-function-for-checking-if-certificate-is-self-sig.patch
Type: text/x-patch
Size: 897 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-242.1-Support-CA-certificate-renewal-in-dogtag-ipa-ca-rene.patch
Type: text/x-patch
Size: 3081 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-243.1-Allow-IPA-master-hosts-to-update-CA-certificate-in-L.patch
Type: text/x-patch
Size: 1130 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-244.1-Automatically-update-CA-certificate-in-LDAP-on-renew.patch
Type: text/x-patch
Size: 2304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-245.1-Track-CA-certificate-using-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 5096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-246.1-Add-method-for-setting-CA-renewal-master-in-LDAP-to-.patch
Type: text/x-patch
Size: 2473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-247.1-Provide-additional-functions-to-ipapython.certmonger.patch
Type: text/x-patch
Size: 2106 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-248.1-Move-external-cert-validation-from-ipa-server-instal.patch
Type: text/x-patch
Size: 6022 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-249.1-Add-method-for-verifying-CA-certificates-to-NSSDatab.patch
Type: text/x-patch
Size: 2036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-250.1-Add-permissions-for-CA-certificate-renewal.patch
Type: text/x-patch
Size: 2917 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-251.1-Add-CA-certificate-management-tool-ipa-cacert-manage.patch
Type: text/x-patch
Size: 16368 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-252.1-Alert-user-when-externally-signed-CA-is-about-to-exp.patch
Type: text/x-patch
Size: 1717 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-253.1-Load-sysupgrade.state-on-demand.patch
Type: text/x-patch
Size: 1349 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-262-Pick-new-CA-renewal-master-when-deleting-a-replica.patch
Type: text/x-patch
Size: 3780 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/54e33d73/attachment-0013.bin>
More information about the Freeipa-devel
mailing list