[Freeipa-devel] [PATCH] 383 Check subject name encoding in ipa-cacert-manage renew
Jan Cholasta
jcholast at redhat.com
Fri Dec 5 10:34:32 UTC 2014
Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
> On 12/04/2014 09:36 AM, Jan Cholasta wrote:
>> + if x509.get_der_subject(cert, x509.DER) != der_subject:
>> + raise admintool.ScriptError("Subject name encoding
>> mismatch")
>
> I think we can expect this to be a pretty common error, given this is
> the default behavior of Microsoft Certificate Services. I would thus
> like to make the error message more juicy.
>
> We need to make sure we offer some pointers for these users or they will
> just blame IPA for screwing up. So, the information I wrote
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
>
> need to somehow get to the error message as a potential/likely root
> cause of the problem. Whether you write it in the error message itself
> or update the design page and just insert a link is up to you.
>
> Martin
I would rather document this and have users read the documentation,
which they should do anyway when something goes wrong. There are many
errors in IPA which are common and users may blame IPA for them and I
don't see what makes this one so special that it should require a
special treatment.
Anyway, I have created
<http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list