[Freeipa-devel] [PATCHES] 336-339 Installer certificate options usability fixes
Petr Viktorin
pviktori at redhat.com
Fri Sep 26 15:15:00 UTC 2014
On 09/24/2014 06:13 PM, Jan Cholasta wrote:
> Hi,
>
> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
> and <https://fedorahosted.org/freeipa/ticket/4489>.
>
> (Note that design page for this is TBD.)
>
> Honza
>
336:
Instead of
len(data[:match.start() + 1].splitlines())
you can do
data.count('\n', 0, match.start()) + 1
337:
The --external_cert_file and --external_ca_file options for
ipa-ca-install are removed, do we really want to do that? Shouldn't they
be deprecated instead?
Same for --external-ca-file in ipa-cacert-manage.
338: Looks OK
339: Looks OK
Could you add some docstrings to the functions you add? Sometimes it's
harder than necessary to decipher what they do and what the
arguments/return values mean exactly.
There is no user-visible documentation on what file types are
expected/supported. It would be good to add this to the man pages, or
the --help.
In external CA, the error message when specifying a certificate but not
the CA could be improved:
$ ipa-server-install --external_cert_file ~/p/Certificate_Authority_8.cer
...
CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in
/home/pviktori/p/Certificate_Authority_8.cer is not valid:
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
For CA-less, I used a combination of files with which server
installation went well, but replica-install failed halfway through:
Console:
...
[16/36]: creating indices
[17/36]: enabling referential integrity plugin
[18/36]: configuring ssl for ds instance
[error] RuntimeError: incorrect password for pkcs#12 file
/tmp/tmp2vEWX_ipa/realm_info/dscert.p12
Log tail:
2014-09-26T15:05:43Z DEBUG Starting external process
2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d'
'/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i'
'/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k'
'/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w'
'/dev/stdin'
2014-09-26T15:05:43Z DEBUG Process finished, return code=17
2014-09-26T15:05:43Z DEBUG stdout=
2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified:
SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 370, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 360, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
600, in __enable_ssl
trust_flags=trust_flags)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 1030, in create_from_pkcs12
self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 971, in import_pkcs12
pkcs12_passwd=pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 191, in import_pkcs12
pkcs12_filename)
RuntimeError: incorrect password for pkcs#12 file
/tmp/tmp2vEWX_ipa/realm_info/dscert.p12
2014-09-26T15:05:43Z DEBUG [error] RuntimeError: incorrect password
for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
2014-09-26T15:05:43Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 644, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 677, in main
ds = install_replica_ds(config)
File "/sbin/ipa-replica-install", line 190, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
354, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 370, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 360, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
600, in __enable_ssl
trust_flags=trust_flags)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 1030, in create_from_pkcs12
self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 971, in import_pkcs12
pkcs12_passwd=pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 191, in import_pkcs12
pkcs12_filename)
2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: incorrect password for pkcs#12 file
/tmp/tmp2vEWX_ipa/realm_info/dscert.p12
I'll attach the files for reference; the options for ipa-server-install
and ipa-replica-prepare were:
--http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
--http-cert-file
~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin
12345678 --dirsrv-cert-file
~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
--dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
--dirsrv-pin 12345678
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem
Type: application/x-x509-ca-cert
Size: 1806 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/bf8a85f5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
Type: application/x-x509-ca-cert
Size: 827 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/bf8a85f5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
Type: application/x-pkcs12
Size: 1533 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/bf8a85f5/attachment.p12>
More information about the Freeipa-devel
mailing list