[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Jan Cholasta
jcholast at redhat.com
Wed Apr 16 09:04:37 UTC 2014
On 10.4.2014 22:06, Rob Crittenden wrote:
> Some in-line, a whole ton of data appended to end.
>
> Jan Cholasta wrote:
>> On 7.4.2014 20:09, Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>>
>>>> 242
>>>>
>>>> I wonder if it would be clearer to use variables instead of a raw list
>>>> in the return value for these handlers: (result, message) =
>>>> handler(...)
>>>> rather than examining result[0], etc. That may be beyond the scope of
>>>> this patch though.
>>
>> Yes. It would be nice if certmonger included a Python module for helper
>> scripts...
>
> Yes, but what I mean is the internal handling returns tuples of data
> with unique variable names, then plucks them out positionally.
len(result) depends on result[0], so you can't do "result, message =
handler(...)", because it would blow up when len(result) != 2.
>>>>
>>>> 243
>>>>
>>>> You are going to end up with a lot of acis with the same comment value.
>>>> Perhaps add the host in there as well.
>>>>
>>>> These are not removed when a master is deleted.
>>
>> I merely did the same thing as the "Add CA Certificates for renewals"
>> and "Modify CA Certificates for renewals" ACIs.
>>
>> I agree it's suboptimal, but IMO it should be fixed in the scope of
>> <https://fedorahosted.org/freeipa/ticket/3416> (the "ipa masters
>> hostgroup" part).
>
> There is a replica_cleanup() method in replication.py. I don't know why
> this couldn't be added there.
OK, added, see patch 263. But we should do the hostgroup thing anyway,
this solution sucks.
>>>>
>>>> 247
>>>>
>>>> We've been burned by hardcoded timeouts in the past. Should this be
>>>> configurable? This module doesn't currently do any logging but it might
>>>> be worth spitting out a "waiting" message, at least for debugging.
>>
>> Added a timeout argument.
>
> Did you forget to send this one, I didn't see an update to 247.
Are you sure you have 247.1 (now 247.2)?
I can see at
<http://www.redhat.com/archives/freeipa-devel/2014-April/msg00225.html>
that I have sent the correct version of the patches.
>>>>
>>>> 251
>>>>
>>>> The tool should provide some feedback while it's running. For the
>>>> impatient (me) it takes a really long time and it's hard to know
>>>> what is
>>>> going on, something in between nothing and full debug output.
>>
>> Added some messages about what's going on.
>
> I dpn't see an update to 251 either.
Please make sure you have 251.1 (now 251.2).
>
>>>>
>>>> The man page needs some more work too. I think some more explanation is
>>>> needed and an example would probably be really helpful as well. I think
>>>> particularly an example for external certs and a description of what
>>>> you
>>>> mean by Self-signed CA (I assume you mean IPA-provided). I don't think
>>>> it really matters how many steps there are unless you are going to
>>>> provide progress output.
>>
>> Reworded the man page a little bit.
>>
>>>>
>>>> Got a backtrace when running as non-root:
>>>>
>>>> $ ipa-cacert-manage -v renew
>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 168, in
>>>> execute
>>>> self.validate_options()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
>>>>
>>>>
>>>>
>>>> line 62, in validate_options
>>>> super(CACertManage, self).validate_options(needs_root=True)
>>>> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>> 189, in validate_options
>>>> raise ScriptError('Must be root to run %s' % self.command_name, 1)
>>>>
>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
>>>> ipa-cacert-manage command failed, exception: ScriptError: Must be root
>>>> to run ipa-cacert-manage
>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be
>>>> root to run ipa-cacert-manage
>>
>> That's correct, you can run it only as root, because you can't resubmit
>> certmonger requests as a regular user.
>
> Yes but one shouldn't get a traceback!
You get the traceback only in verbose mode. I did not invent this, it's
how ipapython.admintool does things.
>>>
>>> After moving time forward on the replica these certificates are in
>>> CA_WORKING:
>>>
>>> ipaCert
>>> auditSigningCert cert-pki-ca
>>> ocspSigningCert cert-pki-ca
>>> subsystemCert cert-pki-ca
>>>
>>> cn=ca_renewal is completely empty on the replica. On the master it only
>>> has the subsystemCert. I'm guessing this is at least partly due to my
>>> switching time one system at a time rather than (somewhat)
>>> simultaneously, but it still would have blown up with 3 missing certs.
>>
>> Can you post the related log messages from /var/log/messages from the
>> master somewhere?
>>
>> There's not much I can do about broken replication. I think you hit
>> <https://fedorahosted.org/389/ticket/47632>.
>>
>>>
>>> rob
>>
>> Thanks for the review.
>>
>> Updated and rebased patches attached.
>>
>
> Patch 262 has lots of lint errors because you're adding arguments to
> functions that don't currently define one, is_renewal_master() for example.
They are defined in patch 246.1 (now 246.2).
>
> I think the ipa-cacert-manage man page is missing one really important
> piece: why would you ever need to run this? And when?
Added a paragraph about this.
>
> The renewal was failing on the replica due to SELinux failures:
>
> # ausearch -m AVC -ts recent
> ----
> time->Mon Mar 21 11:00:05 2016
> type=SYSCALL msg=audit(1458572405.859:828): arch=c000003e syscall=59
> success=no exit=-13 a0=c687c0 a1=c688c0 a2=c66e40 a3=7ffff0a46120
> items=0 ppid=4172 pid=4173 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sh"
> exe="/usr/bin/bash" subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(1458572405.859:828): avc: denied { execute } for
> pid=4173 comm="sh" name="ldconfig" dev="dm-1" ino=134149
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
All of the ldconfig-related denials do not seem to affect anything.
> ----
> time->Mon Mar 21 11:00:06 2016
> type=SYSCALL msg=audit(1458572406.334:834): arch=c000003e syscall=2
> success=no exit=-13 a0=315f900 a1=0 a2=1b6 a3=7fffbfef2060 items=0
> ppid=3672 pid=4168 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="dogtag-ipa-ca-r"
> exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(1458572406.334:834): avc: denied { read } for
> pid=4168 comm="dogtag-ipa-ca-r" name="sysupgrade.state" dev="dm-1"
> ino=276510 scontext=system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
> ----
> time->Mon Mar 21 11:00:07 2016
> type=SYSCALL msg=audit(1458572407.378:835): arch=c000003e syscall=2
> success=no exit=-13 a0=2c98030 a1=0 a2=1b6 a3=7fffbfef2450 items=0
> ppid=3672 pid=4168 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="dogtag-ipa-ca-r"
> exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(1458572407.378:835): avc: denied { read } for
> pid=4168 comm="dogtag-ipa-ca-r" name="sysrestore.state" dev="dm-1"
> ino=273976 scontext=system_u:system_r:certmonger_t:s0
I haven't seen these two on my system, probably unrelated.
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
> ----
> time->Mon Mar 21 11:00:07 2016
> type=SYSCALL msg=audit(1458572407.385:836): arch=c000003e syscall=42
> success=no exit=-13 a0=4 a1=7fffbfef24f0 a2=6e a3=7fffbfef24f2 items=0
> ppid=3672 pid=4168 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="dogtag-ipa-ca-r"
> exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(1458572407.385:836): avc: denied { write } for
> pid=4168 comm="dogtag-ipa-ca-r" name="slapd-GREYOAK-COM.socket"
> dev="tmpfs" ino=53896 scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file
Weird, I haven't seen this before.
>
> Mar 21 11:07:00 sif.greyoak.com dogtag-ipa-ca-renew-agent-submit[4337]:
> Traceback (most recent call last):
> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> 299, in <module>
> sys.exit(main())
> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> 288, in main
> if ca.is_renewal_master():
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1548, in is_renewal_master
> self.ldap_connect()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 118, in ldap_connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1727,
> in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1713,
> in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1699,
> in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173,
> in wait_for_open_socket
> raise e
> error: [Errno 13] Permission denied
> Mar 21 11:07:00 sif.greyoak.com certmonger[3672]: 2016-03-21 11:07:00
> [3672] Internal error
>
> I updated selinux-policy but I'm not seeing the certs added consistently
> to ca_renewal so there is nothing to do, so it sits in CA_WORKING. I
> verified it isn't a replication issue, the replication is working fine,
> the certs just weren't pushed.
Fixed renewal scripts not to use ldapi, see patch 264.
Also fixed certificate retrieval from LDAP to check if the certificate
was actually renewed, see patch 265.
>
> Here is what syslog on the initial master has to say about it. The
> reason strange part is the references to dogtag-ipa-renew-agent:
That's normal, dogtag-ipa-ca-renew-agent forwards "real" certificate
requests to dogtag-ipa-renew-agent (hence the similar name).
Updated and rebased, as well as new (263-265) patches attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-241.2-Add-function-for-checking-if-certificate-is-self-sig.patch
Type: text/x-patch
Size: 897 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-242.2-Support-CA-certificate-renewal-in-dogtag-ipa-ca-rene.patch
Type: text/x-patch
Size: 2920 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-243.2-Allow-IPA-master-hosts-to-update-CA-certificate-in-L.patch
Type: text/x-patch
Size: 1130 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-244.2-Automatically-update-CA-certificate-in-LDAP-on-renew.patch
Type: text/x-patch
Size: 2304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-245.2-Track-CA-certificate-using-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 5096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-246.2-Add-method-for-setting-CA-renewal-master-in-LDAP-to-.patch
Type: text/x-patch
Size: 2473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-247.2-Provide-additional-functions-to-ipapython.certmonger.patch
Type: text/x-patch
Size: 2106 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-248.2-Move-external-cert-validation-from-ipa-server-instal.patch
Type: text/x-patch
Size: 6022 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-249.2-Add-method-for-verifying-CA-certificates-to-NSSDatab.patch
Type: text/x-patch
Size: 2036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-250.2-Add-permissions-for-CA-certificate-renewal.patch
Type: text/x-patch
Size: 2917 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-251.2-Add-CA-certificate-management-tool-ipa-cacert-manage.patch
Type: text/x-patch
Size: 16832 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-252.2-Alert-user-when-externally-signed-CA-is-about-to-exp.patch
Type: text/x-patch
Size: 1713 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-253.2-Load-sysupgrade.state-on-demand.patch
Type: text/x-patch
Size: 1349 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-262.1-Pick-new-CA-renewal-master-when-deleting-a-replica.patch
Type: text/x-patch
Size: 3780 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-263-Remove-master-ACIs-when-deleting-a-replica.patch
Type: text/x-patch
Size: 2654 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-264-Do-not-use-ldapi-in-certificate-renewal-scripts.patch
Type: text/x-patch
Size: 11904 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-265-Check-that-renewed-certificates-coming-from-LDAP-are.patch
Type: text/x-patch
Size: 1874 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140416/89c829ea/attachment-0016.bin>
More information about the Freeipa-devel
mailing list