[Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn
Petr Viktorin
pviktori at redhat.com
Wed Aug 13 13:12:17 UTC 2014
On 08/08/2014 11:50 AM, Jan Cholasta wrote:
> Dne 8.8.2014 v 11:20 Martin Kosek napsal(a):
>> On 08/08/2014 10:55 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4397>.
>>>
>>> Honza
>>
>> Thanks! I did not test, just have couple questions/suggestions:
>>
>> 1) Are we testing that the certificate is in proper format, e.g. is
>> not PKCS7
>> already? We need to error out properly then
>
> Yes, in ipa-server-install.
>
>>
>> 2) Are ipa-server-install --help options as informative as possible?
>> --external-ca installation is tricky, we need to make sure that is no
>> doubt
>> about what the input is.
>
> I amended them a little bit.
>
>>
>> 3) We may want to add instructions how to convert PKCS#7 -> PEM to "man
>> ipa-server-install" too.
>
> Added.
>
>>
>> Martin
>>
>
> Updated patch attached.
>
Hello,
This works for me, but I'm not sure if I'm correctly reproducing the
specific scenario this patch fixes. So as always, can you please add
tests for code you write?
As far as other scenarios, it seems to me that when I do something wrong
I get a very unhelpful error message late in the installation.
I tried signing the request using xca but pkispawn choked on the result;
I'll try to write a reproducer script using command-line tools.
Attached is a script (based on the external ca integration test) that
reproduces the same IndexError as mentioned in the ticket. (If
necessary, adjust the IP addresses, hostnames, etc. to fit your
environment.)
The difference from a working script is that extensions aren't added to
the IPA cert when it's signed.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: index-error-reproducer.sh
Type: application/x-shellscript
Size: 2844 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140813/8509ad0b/attachment.bin>
More information about the Freeipa-devel
mailing list