[Freeipa-devel] [PATCH] 383 Check subject name encoding in ipa-cacert-manage renew
Jan Cholasta
jcholast at redhat.com
Tue Dec 9 12:56:37 UTC 2014
Dne 5.12.2014 v 12:01 Jan Cholasta napsal(a):
> Dne 5.12.2014 v 11:43 Martin Kosek napsal(a):
>> On 12/05/2014 11:34 AM, Jan Cholasta wrote:
>>> Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
>>>> On 12/04/2014 09:36 AM, Jan Cholasta wrote:
>>>>> + if x509.get_der_subject(cert, x509.DER) != der_subject:
>>>>> + raise admintool.ScriptError("Subject name encoding
>>>>> mismatch")
>>>>
>>>> I think we can expect this to be a pretty common error, given this is
>>>> the default behavior of Microsoft Certificate Services. I would thus
>>>> like to make the error message more juicy.
>>>>
>>>> We need to make sure we offer some pointers for these users or they
>>>> will
>>>> just blame IPA for screwing up. So, the information I wrote
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
>>>>
>>>> need to somehow get to the error message as a potential/likely root
>>>> cause of the problem. Whether you write it in the error message itself
>>>> or update the design page and just insert a link is up to you.
>>>>
>>>> Martin
>>>
>>> I would rather document this and have users read the documentation,
>>> which they
>>> should do anyway when something goes wrong. There are many errors in
>>> IPA which
>>> are common and users may blame IPA for them and I don't see what makes
>>> this one
>>> so special that it should require a special treatment.
>>
>> I saw several reasons:
>> - Certificate&installation error are more common than the others and
>> users are usually quite lost in what to do with them.
>> - In this case, we know by 90% probability what is the root cause
>> - It will block one of the main use cases for the new CA renewal tool
>> and people will likely hit it as MS CAs is one of the most common CAs
>> and this is it's default behavior.
>>
>> Giving more details in this case will not hurt us, but benefit users. So
>> I still do not see the harm.
>
> I do not see a harm either, my point is that we should probably point
> the user to documentation when *anything* in *any* script goes wrong,
> not just when some arbitrarily cherry-picked error occurs.
>
>>
>>> Anyway, I have created
>>> <http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
>>>
>>>
>>
>> Good. Do you plan to reference the section or enhance the error message?
>
> I plan to reference <http://www.freeipa.org/page/Troubleshooting>.
See the attached patch (385).
>
>>
>> Martin
>
>
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-385-Refer-the-user-to-freeipa.org-when-something-goes-wr.patch
Type: text/x-patch
Size: 1121 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141209/c8fc224a/attachment.bin>
More information about the Freeipa-devel
mailing list