[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Rob Crittenden rcritten at redhat.com
Fri Apr 25 13:10:17 UTC 2014

Petr Viktorin wrote:
> On 04/24/2014 11:16 PM, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 10.4.2014 22:06, Rob Crittenden wrote:
>>>> Some in-line, a whole ton of data appended to end.
>>>> Jan Cholasta wrote:
>>>>> On 7.4.2014 20:09, Rob Crittenden wrote:
>>>>>> Rob Crittenden wrote:
> [...]
>>>>>>> $ ipa-cacert-manage -v renew
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:   File
>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>>> 168, in
>>>>>>> execute
>>>>>>>      self.validate_options()
>>>>>>>    File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
>>>>>>> line 62, in validate_options
>>>>>>>      super(CACertManage, self).validate_options(needs_root=True)
>>>>>>>    File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>>>>>> line
>>>>>>> 189, in validate_options
>>>>>>>      raise ScriptError('Must be root to run %s' %
>>>>>>> self.command_name, 1)
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
>>>>>>> ipa-cacert-manage command failed, exception: ScriptError: Must be
>>>>>>> root
>>>>>>> to run ipa-cacert-manage
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be
>>>>>>> root to run ipa-cacert-manage
>>>>> That's correct, you can run it only as root, because you can't
>>>>> resubmit
>>>>> certmonger requests as a regular user.
>>>> Yes but one shouldn't get a traceback!
>>> You get the traceback only in verbose mode. I did not invent this, it's
>>> how ipapython.admintool does things.
>> Ok, I'll blame Petr.
> In verbose mode you get all the debugging information that's written to
> logs, and that includes the tracebacks. I stand by this decision.
> If the command is normally so quiet that you need the -v flag for normal
> operation, that's a problem. Log interesting messages at INFO.
> http://www.freeipa.org/page/V3/Logging_and_output#Design

Well, it's just that the traceback is caught and handled, so it seems 
odd that it is reported. Then again, this is useful for the case of too 
broad an except, so as usual I have mixed feelings.

I think long-term we need to provide some mid-level solution, more info 
without spamming with everything. The cacert command takes a REALLY long 
time, and my twitchy fingers nearly killed it a number of times. We have 
other commands that do similarly long-lived things with no feedback 
(separate from things that go over the JSON/XML api).

If I can come up with any concrete ideas I'll file a ticket, but reserve 
the right to whine and complain in the meantime.


More information about the Freeipa-devel mailing list