[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta jcholast at redhat.com
Thu May 15 15:46:53 UTC 2014 

On 25.4.2014 10:51, Jan Cholasta wrote:
> On 24.4.2014 23:16, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 10.4.2014 22:06, Rob Crittenden wrote:
>>>> Some in-line, a whole ton of data appended to end.
>>>>
>>>> Jan Cholasta wrote:
>>>>> On 7.4.2014 20:09, Rob Crittenden wrote:
>>>>>> Rob Crittenden wrote:
>>>>>>>
>>>>>>> 247
>>>>>>>
>>>>>>> We've been burned by hardcoded timeouts in the past. Should this be
>>>>>>> configurable? This module doesn't currently do any logging but it
>>>>>>> might
>>>>>>> be worth spitting out a "waiting" message, at least for debugging.
>>>>>
>>>>> Added a timeout argument.
>>>>
>>>> Did you forget to send this one, I didn't see an update to 247.
>>>
>>> Are you sure you have 247.1 (now 247.2)?
>>>
>>> I can see at
>>> <http://www.redhat.com/archives/freeipa-devel/2014-April/msg00225.html>
>>> that I have sent the correct version of the patches.
>>
>> The call has a timeout, the callers don't use it. I guess it'll do for
>> now, but these almost always come back to bite us.
>
> Well, I can add --certmonger-timeout option to ipa-cacert-manage, if
> that's what you want.
>
>>
>>>
>>>>>>>
>>>>>>> 251
>>>>>>>
>>>>>>> The tool should provide some feedback while it's running. For the
>>>>>>> impatient (me) it takes a really long time and it's hard to know
>>>>>>> what is
>>>>>>> going on, something in between nothing and full debug output.
>>>>>
>>>>> Added some messages about what's going on.
>>>>
>>>> I dpn't see an update to 251 either.
>>>
>>> Please make sure you have 251.1 (now 251.2).
>>
>> There is a little bit more output but there are still very long periods
>> of waiting between any visual activity, particularly when doing it on an
>> IPA self-signed CA.
>
> This stuff takes time :-) What would you like to see in the output,
> that's not already there?
>
>>>>
>>>> I think the ipa-cacert-manage man page is missing one really important
>>>> piece: why would you ever need to run this? And when?
>>>
>>> Added a paragraph about this.
>>
>> It's better, couple of comments:
>>
>> Add "the" in between renew and CA in "used to manually renew CA
>> certificate of" and "When IPA CA...".
>
> OK.
>
>> I haven't had any luck renewing
>> the CA certificate yet. I see that it is tracked now. I started moving
>> the system clock forward in order to get to renewal and about the 3rd
>> iteration the requests started failing with an XML error. Did you see
>> this?
>>
>> [Thu Apr 21 11:08:49.929486 2016] [:error] [pid 11692] Traceback (most
>> recent call last):
>> [Thu Apr 21 11:08:49.929489 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 344, in
>> wsgi_execute
>> [Thu Apr 21 11:08:49.929493 2016] [:error] [pid 11692]     result =
>> self.Command[name](*args, **options)
>> [Thu Apr 21 11:08:49.929496 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
>> __call__
>> [Thu Apr 21 11:08:49.929499 2016] [:error] [pid 11692]     ret =
>> self.run(*args, **options)
>> [Thu Apr 21 11:08:49.929503 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
>> [Thu Apr 21 11:08:49.929506 2016] [:error] [pid 11692]     result =
>> self.execute(*args, **options)
>> [Thu Apr 21 11:08:49.929509 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 382, in
>> execute
>> [Thu Apr 21 11:08:49.929512 2016] [:error] [pid 11692]     result =
>> api.Command['cert_show'](unicode(serial))['result']
>> [Thu Apr 21 11:08:49.929516 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
>> __call__
>> [Thu Apr 21 11:08:49.929519 2016] [:error] [pid 11692]     ret =
>> self.run(*args, **options)
>> [Thu Apr 21 11:08:49.930559 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
>> [Thu Apr 21 11:08:49.930567 2016] [:error] [pid 11692]     result =
>> self.execute(*args, **options)
>> [Thu Apr 21 11:08:49.930570 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 514, in
>> execute
>> [Thu Apr 21 11:08:49.930573 2016] [:error] [pid 11692]
>> result=self.Backend.ra.get_certificate(serial_number)
>> [Thu Apr 21 11:08:49.930577 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
>> 1502, in get_certificate
>> [Thu Apr 21 11:08:49.930580 2016] [:error] [pid 11692]     parse_result
>> = self.get_parse_result_xml(http_body, parse_display_cert_xml)
>> [Thu Apr 21 11:08:49.930591 2016] [:error] [pid 11692]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
>> 1363, in get_parse_result_xml
>> [Thu Apr 21 11:08:49.930594 2016] [:error] [pid 11692]     doc =
>> etree.fromstring(xml_text, parser)
>> [Thu Apr 21 11:08:49.930598 2016] [:error] [pid 11692]   File
>> "lxml.etree.pyx", line 3032, in lxml.etree.fromstring
>> (src/lxml/lxml.etree.c:68129)
>> [Thu Apr 21 11:08:49.930601 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 1785, in lxml.etree._parseMemoryDocument
>> (src/lxml/lxml.etree.c:102493)
>> [Thu Apr 21 11:08:49.930604 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 1673, in lxml.etree._parseDoc
>> (src/lxml/lxml.etree.c:101322)
>> [Thu Apr 21 11:08:49.930607 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 1074, in lxml.etree._BaseParser._parseDoc
>> (src/lxml/lxml.etree.c:96504)
>> [Thu Apr 21 11:08:49.930611 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 582, in
>> lxml.etree._ParserContext._handleParseResultDoc
>> (src/lxml/lxml.etree.c:91308)
>> [Thu Apr 21 11:08:49.930614 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 683, in lxml.etree._handleParseResult
>> (src/lxml/lxml.etree.c:92494)
>> [Thu Apr 21 11:08:49.930617 2016] [:error] [pid 11692]   File
>> "parser.pxi", line 633, in lxml.etree._raiseParseError
>> (src/lxml/lxml.etree.c:91957)
>> [Thu Apr 21 11:08:49.930621 2016] [:error] [pid 11692] XMLSyntaxError:
>> None
>> [Thu Apr 21 11:08:49.930829 2016] [:error] [pid 11692] ipa: INFO:
>> [xmlserver] host/lyra.greyoak.com at GREYOAK.COM:
>> cert_request(u'MIIDmTCCAoECAQAwMTEUMBIGA1UECgwLR1JFWU9BSy5DT00xGTAXBgNVBAMMEGx5cmEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVw34/WP/pKg+kxmM7aDcjYsEFA9By4SyV1n4FeeDpr2gBulyjKNGTaxuoEssqYy33qVU7vxQ8WS9LtYt1eyAZrKLCVso1njtMZZ2mpymltRgRT+QFzMjwrcoqqGM9XWjVAMur/FJggVPxcpNXy2EUAiVcMEO4zCgxjkWjaXSs5jigvFO5wzolnQRYPECPhYuYwKpVRPwCsqpeiymfpiVuHt+oTHA9lNIGRWWxA+72NLFhrLBKaVaFDl4NCT6jJ71xZDXLQWQw1kAWvYKV22jCfDS/Yxdtyt3O0kUs8dHYClTgW4QN3bBQsgUaspHuWGdF6rwqmIihPUjq07fB6r8jAgMBAAGgggEhMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIH3BgkqhkiG9w0BCQ4xgekwgeYwDgYDVR0PAQEABAQDAgTwMIGBBgNVHREBAQAEdzB1oDEGCisGAQQBgjcUAgOgIwwhSFRUUC9seXJhLmdyZXlvYWsuY29tQEdSRVlPQUsuQ09NoEAGBisGAQUCAqA2MDSgDRsLR1JFWU9BSy5DT02hIzAhoAMCAQGhGjAYGwRIVFRQGxBseXJhLmdyZXlvYWsuY29tMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQ2k1wey/NlwORBA7I+O26IX0WyGTANBgkqhkiG9w0BAQsFAAOCAQEABUStRJyl5DBTpEOdKOXCnhSdRuElwv64XLIX47B1DVsiI9tL806nsLH16XSFIZqo1HWXxDU90/Wm8VP!
 Z!
>>
> gm!
>>
>> 3VCtgMvPVk
>> 3k4qYBz6/2B8PEeQY2/W5CULkfjqJhDxr0qodiYAc8GOyHMDpymfC3+QUIXkmoy94USRS2x8CMvzq8h1tpBPcXAei6waohTJtO33o79iVNbeLIif3RD22dghPx3JvEB4FXWQv6IylXGyJb6NRRneI4R8Ko0xCA9xiyPegfDgiQEUUSCtJ/Qr9/OpytFgrpJHSTd8n9DzLbRO5FQW4yS45A8xp5WkJCU5IslIon6luf9v5eNCVsIp7EPgaQ==',
>>
>> principal=u'HTTP/lyra.greyoak.com at GREYOAK.COM', add=True,
>> version=u'2.51'): XMLSyntaxError
>
> I have never seen this. The error message does not say much... Is there
> anything interesting in other logs?

I was able to get the CA certificate to be renewed after moving system 
time forward step by step.

One thing I haven't noticed before is that the renewed certificate's 
validity never exceeds that of the original certificate. This is most 
likely Dogtag issue (something along the lines of "certificate validity 
cannot exceed validity of the CA certificate", except it shouldn't apply 
to the CA certificate itself).

There were other issues here and there, all of them were caused by race 
conditions between concurrent renewals (unreachable CA, XML syntax 
errors, etc. because Dogtag was stopped by stop_pkicad in another 
request, CMS internal error because it used old subsystem cert to 
authenticate to LDAP while the cert was being renewed, etc.) and all of 
them could be fixed by restarting relevant IPA services and resubmitting 
the requests manually. Some synchronization is really missing there.

>
>>
>> I noticed that in the external CA case we still have certmonger tracking
>> the CA. What will it do at expiration?
>
> It syslogs the message in patch 252, for the lack of better notification
> mechanism.
>
>>
>> /etc/ipa/ca.crt isn't being updated on renewal.
>
> That will be dealt with in the next batch of patches.
>
>>
>> rob
>
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list