[Freeipa-devel] [PATCHES] 336-339 Installer certificate options usability fixes

Jan Cholasta jcholast at redhat.com
Fri Sep 26 17:40:17 UTC 2014 

Dne 26.9.2014 v 17:37 Rob Crittenden napsal(a):
> Petr Viktorin wrote:
>> On 09/24/2014 06:13 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
>>> and <https://fedorahosted.org/freeipa/ticket/4489>.
>>>
>>> (Note that design page for this is TBD.)
>
> Isn't this backwards then?
>
>>
>> 336:
>>
>> Instead of
>>      len(data[:match.start() + 1].splitlines())
>> you can do
>>      data.count('\n', 0, match.start()) + 1

Unfortunately '\n' is not good enough, we have to check for '\r\n' and 
'\r' as well, hence the use of splitlines.

>>
>> 337:
>> The --external_cert_file and --external_ca_file options for
>> ipa-ca-install are removed, do we really want to do that? Shouldn't they
>> be deprecated instead?
>
> +1
>
>>
>> Same for --external-ca-file in ipa-cacert-manage.
>
> +1

IMO it's OK to just remove them, as they were added during 4.1 
development and are not available in any released version of IPA.


>
> I can't say I'm a fan of forcing users to concatenate cert files.

All the --*-cert-file options may be given multiple times.

>
>>
>> 338: Looks OK
>> 339: Looks OK
>>
>> Could you add some docstrings to the functions you add? Sometimes it's
>> harder than necessary to decipher what they do and what the
>> arguments/return values mean exactly.

Sure.

>>
>> There is no user-visible documentation on what file types are
>> expected/supported. It would be good to add this to the man pages, or
>> the --help.

Added.

>
> I also wonder if the detection code should be changed. It basically now
> tries a slew of different mechanisms one at a time rather than trying to
> identify the type of file and using that one. It may not be possible in
> all cases but you could at least start by looking for ^----- to know it
> is a text file and go from there, otherwise step through the binary formats.

Rearranged the code so that text files are tried first.

>
>>
>>
>>
>> In external CA, the error message when specifying a certificate but not
>> the CA could be improved:
>> $ ipa-server-install --external_cert_file ~/p/Certificate_Authority_8.cer
>> ...
>> CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in
>> /home/pviktori/p/Certificate_Authority_8.cer is not valid:
>> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.

Fixed.

>>
>>
>>
>> For CA-less, I used a combination of files with which server
>> installation went well, but replica-install failed halfway through:
>>
>> Console:
>> ...
>>    [16/36]: creating indices
>>    [17/36]: enabling referential integrity plugin
>>    [18/36]: configuring ssl for ds instance
>>    [error] RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>> Log tail:
>>
>> 2014-09-26T15:05:43Z DEBUG Starting external process
>> 2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d'
>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i'
>> '/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k'
>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w'
>> '/dev/stdin'
>> 2014-09-26T15:05:43Z DEBUG Process finished, return code=17
>> 2014-09-26T15:05:43Z DEBUG stdout=
>> 2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified:
>> SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
>>
>> 2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 370, in start_creation
>>      run_step(full_msg, method)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 360, in run_step
>>      method()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 600, in __enable_ssl
>>      trust_flags=trust_flags)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 1030, in create_from_pkcs12
>>      self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 971, in import_pkcs12
>>      pkcs12_passwd=pkcs12_passwd)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 191, in import_pkcs12
>>      pkcs12_filename)
>> RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>> 2014-09-26T15:05:43Z DEBUG   [error] RuntimeError: incorrect password
>> for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>> 2014-09-26T15:05:43Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 644, in run_script
>>      return_value = main_function()
>>
>>    File "/sbin/ipa-replica-install", line 677, in main
>>      ds = install_replica_ds(config)
>>
>>    File "/sbin/ipa-replica-install", line 190, in install_replica_ds
>>      ca_file=config.dir + "/ca.crt",
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 354, in create_replica
>>      self.start_creation(runtime=60)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 370, in start_creation
>>      run_step(full_msg, method)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 360, in run_step
>>      method()
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 600, in __enable_ssl
>>      trust_flags=trust_flags)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 1030, in create_from_pkcs12
>>      self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 971, in import_pkcs12
>>      pkcs12_passwd=pkcs12_passwd)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 191, in import_pkcs12
>>      pkcs12_filename)
>>
>> 2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>>
>> I'll attach the files for reference; the options for ipa-server-install
>> and ipa-replica-prepare were:
>>
>> --http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>> --http-cert-file
>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin
>> 12345678 --dirsrv-cert-file
>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
>> --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>> --dirsrv-pin 12345678

Fixed.

Updated patches attached.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-336.2-Add-NSSDatabase.import_files-method-for-importing-fi.patch
Type: text/x-patch
Size: 9351 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-337.2-External-CA-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 26469 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-338.2-CA-less-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 46851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-339.2-Allow-choosing-CA-less-server-certificates-by-name.patch
Type: text/x-patch
Size: 9601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0003.bin>

More information about the Freeipa-devel mailing list