[Freeipa-devel] [PATCH] 383 Check subject name encoding in ipa-cacert-manage renew

Wed Dec 10 13:35:56 UTC 2014

Dne 10.12.2014 v 11:53 Martin Kosek napsal(a):
> On 12/09/2014 01:56 PM, Jan Cholasta wrote:
>> Dne 5.12.2014 v 12:01 Jan Cholasta napsal(a):
>>> Dne 5.12.2014 v 11:43 Martin Kosek napsal(a):
>>>> On 12/05/2014 11:34 AM, Jan Cholasta wrote:
>>>>> Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
>>>>>> On 12/04/2014 09:36 AM, Jan Cholasta wrote:
>>>>>>> +            if x509.get_der_subject(cert, x509.DER) != der_subject:
>>>>>>> +                raise admintool.ScriptError("Subject name encoding
>>>>>>> mismatch")
>>>>>>
>>>>>> I think we can expect this to be a pretty common error, given this is
>>>>>> the default behavior of Microsoft Certificate Services. I would thus
>>>>>> like to make the error message more juicy.
>>>>>>
>>>>>> We need to make sure we offer some pointers for these users or they
>>>>>> will
>>>>>> just blame IPA for screwing up. So, the information I wrote
>>>>>>
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
>>>>>>
>>>>>> need to somehow get to the error message as a potential/likely root
>>>>>> cause of the problem. Whether you write it in the error message itself
>>>>>> or update the design page and just insert a link is up to you.
>>>>>>
>>>>>> Martin
>>>>>
>>>>> I would rather document this and have users read the documentation,
>>>>> which they
>>>>> should do anyway when something goes wrong. There are many errors in
>>>>> IPA which
>>>>> are common and users may blame IPA for them and I don't see what makes
>>>>> this one
>>>>> so special that it should require a special treatment.
>>>>
>>>> I saw several reasons:
>>>> - Certificate&installation error are more common than the others and
>>>> users are usually quite lost in what to do with them.
>>>> - In this case, we know by 90% probability what is the root cause
>>>> - It will block one of the main use cases for the new CA renewal tool
>>>> and people will likely hit it as MS CAs is one of the most common CAs
>>>> and this is it's default behavior.
>>>>
>>>> Giving more details in this case will not hurt us, but benefit users. So
>>>> I still do not see the harm.
>>>
>>> I do not see a harm either, my point is that we should probably point
>>> the user to documentation when *anything* in *any* script goes wrong,
>>> not just when some arbitrarily cherry-picked error occurs.
>>>
>>>>
>>>>> Anyway, I have created
>>>>> <http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
>>>>>
>>>>>
>>>>>
>>>>
>>>> Good. Do you plan to reference the section or enhance the error message?
>>>
>>> I plan to reference <http://www.freeipa.org/page/Troubleshooting>.
>>
>> See the attached patch (385).
>
> I think the reference for the Troubleshooting page should be more narrow so
> that people only see the URL only for the cases we give specific advise for.
> Otherwise I assume they will just ignore the page if they do not find the
> advise for other errors.

Right, makes sense.

>
> Other idea would be to give reference to the article when the actual CSR is
> generated - as a heads up.

I think referring to troubleshooting before there actually is some 
trouble is not very good for publicity.

Anyway, updated patch attached, it implements what you suggested 
originally - link to the troubleshooting guide is added to relevant 
error messages. Let's think about this in more broad terms when the time 
comes for the installer refactoring.

>
> Martin
>

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-385.1-Refer-the-user-to-freeipa.org-when-something-goes-wr.patch
Type: text/x-patch
Size: 3107 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141210/0afee655/attachment.bin>