[Freeipa-devel] [PATCH] 383 Check subject name encoding in ipa-cacert-manage renew

Jan Cholasta jcholast at redhat.com
Fri Dec 5 11:01:33 UTC 2014 

Dne 5.12.2014 v 11:43 Martin Kosek napsal(a):
> On 12/05/2014 11:34 AM, Jan Cholasta wrote:
>> Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
>>> On 12/04/2014 09:36 AM, Jan Cholasta wrote:
>>>> +            if x509.get_der_subject(cert, x509.DER) != der_subject:
>>>> +                raise admintool.ScriptError("Subject name encoding
>>>> mismatch")
>>>
>>> I think we can expect this to be a pretty common error, given this is
>>> the default behavior of Microsoft Certificate Services. I would thus
>>> like to make the error message more juicy.
>>>
>>> We need to make sure we offer some pointers for these users or they will
>>> just blame IPA for screwing up. So, the information I wrote
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
>>>
>>> need to somehow get to the error message as a potential/likely root
>>> cause of the problem. Whether you write it in the error message itself
>>> or update the design page and just insert a link is up to you.
>>>
>>> Martin
>>
>> I would rather document this and have users read the documentation,
>> which they
>> should do anyway when something goes wrong. There are many errors in
>> IPA which
>> are common and users may blame IPA for them and I don't see what makes
>> this one
>> so special that it should require a special treatment.
>
> I saw several reasons:
> - Certificate&installation error are more common than the others and
> users are usually quite lost in what to do with them.
> - In this case, we know by 90% probability what is the root cause
> - It will block one of the main use cases for the new CA renewal tool
> and people will likely hit it as MS CAs is one of the most common CAs
> and this is it's default behavior.
>
> Giving more details in this case will not hurt us, but benefit users. So
> I still do not see the harm.

I do not see a harm either, my point is that we should probably point 
the user to documentation when *anything* in *any* script goes wrong, 
not just when some arbitrarily cherry-picked error occurs.

>
>> Anyway, I have created
>> <http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
>>
>
> Good. Do you plan to reference the section or enhance the error message?

I plan to reference <http://www.freeipa.org/page/Troubleshooting>.

>
> Martin


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list