[Freeipa-devel] [PATCH] 383 Check subject name encoding in ipa-cacert-manage renew

Wed Dec 10 16:53:25 UTC 2014

On 10/12/14 16:02, Martin Kosek wrote:
> On 12/10/2014 02:35 PM, Jan Cholasta wrote:
>> Dne 10.12.2014 v 11:53 Martin Kosek napsal(a):
>>> On 12/09/2014 01:56 PM, Jan Cholasta wrote:
>>>> Dne 5.12.2014 v 12:01 Jan Cholasta napsal(a):
>>>>> Dne 5.12.2014 v 11:43 Martin Kosek napsal(a):
>>>>>> On 12/05/2014 11:34 AM, Jan Cholasta wrote:
>>>>>>> Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
>>>>>>>> On 12/04/2014 09:36 AM, Jan Cholasta wrote:
>>>>>>>>> +            if x509.get_der_subject(cert, x509.DER) != der_subject:
>>>>>>>>> +                raise admintool.ScriptError("Subject name encoding
>>>>>>>>> mismatch")
>>>>>>>> I think we can expect this to be a pretty common error, given this is
>>>>>>>> the default behavior of Microsoft Certificate Services. I would thus
>>>>>>>> like to make the error message more juicy.
>>>>>>>>
>>>>>>>> We need to make sure we offer some pointers for these users or they
>>>>>>>> will
>>>>>>>> just blame IPA for screwing up. So, the information I wrote
>>>>>>>>
>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
>>>>>>>>
>>>>>>>> need to somehow get to the error message as a potential/likely root
>>>>>>>> cause of the problem. Whether you write it in the error message itself
>>>>>>>> or update the design page and just insert a link is up to you.
>>>>>>>>
>>>>>>>> Martin
>>>>>>> I would rather document this and have users read the documentation,
>>>>>>> which they
>>>>>>> should do anyway when something goes wrong. There are many errors in
>>>>>>> IPA which
>>>>>>> are common and users may blame IPA for them and I don't see what makes
>>>>>>> this one
>>>>>>> so special that it should require a special treatment.
>>>>>> I saw several reasons:
>>>>>> - Certificate&installation error are more common than the others and
>>>>>> users are usually quite lost in what to do with them.
>>>>>> - In this case, we know by 90% probability what is the root cause
>>>>>> - It will block one of the main use cases for the new CA renewal tool
>>>>>> and people will likely hit it as MS CAs is one of the most common CAs
>>>>>> and this is it's default behavior.
>>>>>>
>>>>>> Giving more details in this case will not hurt us, but benefit users. So
>>>>>> I still do not see the harm.
>>>>> I do not see a harm either, my point is that we should probably point
>>>>> the user to documentation when *anything* in *any* script goes wrong,
>>>>> not just when some arbitrarily cherry-picked error occurs.
>>>>>
>>>>>>> Anyway, I have created
>>>>>>> <http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Good. Do you plan to reference the section or enhance the error message?
>>>>> I plan to reference <http://www.freeipa.org/page/Troubleshooting>.
>>>> See the attached patch (385).
>>> I think the reference for the Troubleshooting page should be more narrow so
>>> that people only see the URL only for the cases we give specific advise for.
>>> Otherwise I assume they will just ignore the page if they do not find the
>>> advise for other errors.
>> Right, makes sense.
>>
>>> Other idea would be to give reference to the article when the actual CSR is
>>> generated - as a heads up.
>> I think referring to troubleshooting before there actually is some trouble is
>> not very good for publicity.
> Ah, that's a good point - in this purpose it would be better to have it
> somewhere else or only refer to the MS article.
>
>> Anyway, updated patch attached, it implements what you suggested originally -
>> link to the troubleshooting guide is added to relevant error messages. Let's
>> think about this in more broad terms when the time comes for the installer
>> refactoring.
> Ok. I am fine with the patch conceptually. So now just someone (David?) needs
> to make sure it did not break anything :-)
>
> Martin
>
ACK, seems it doesnt break anything.

-- 
Martin Basti