[Freeipa-devel] [PATCHES] 336-339 Installer certificate options usability fixes
Jan Cholasta
jcholast at redhat.com
Fri Sep 26 17:40:17 UTC 2014
Dne 26.9.2014 v 17:37 Rob Crittenden napsal(a):
> Petr Viktorin wrote:
>> On 09/24/2014 06:13 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
>>> and <https://fedorahosted.org/freeipa/ticket/4489>.
>>>
>>> (Note that design page for this is TBD.)
>
> Isn't this backwards then?
>
>>
>> 336:
>>
>> Instead of
>> len(data[:match.start() + 1].splitlines())
>> you can do
>> data.count('\n', 0, match.start()) + 1
Unfortunately '\n' is not good enough, we have to check for '\r\n' and
'\r' as well, hence the use of splitlines.
>>
>> 337:
>> The --external_cert_file and --external_ca_file options for
>> ipa-ca-install are removed, do we really want to do that? Shouldn't they
>> be deprecated instead?
>
> +1
>
>>
>> Same for --external-ca-file in ipa-cacert-manage.
>
> +1
IMO it's OK to just remove them, as they were added during 4.1
development and are not available in any released version of IPA.
>
> I can't say I'm a fan of forcing users to concatenate cert files.
All the --*-cert-file options may be given multiple times.
>
>>
>> 338: Looks OK
>> 339: Looks OK
>>
>> Could you add some docstrings to the functions you add? Sometimes it's
>> harder than necessary to decipher what they do and what the
>> arguments/return values mean exactly.
Sure.
>>
>> There is no user-visible documentation on what file types are
>> expected/supported. It would be good to add this to the man pages, or
>> the --help.
Added.
>
> I also wonder if the detection code should be changed. It basically now
> tries a slew of different mechanisms one at a time rather than trying to
> identify the type of file and using that one. It may not be possible in
> all cases but you could at least start by looking for ^----- to know it
> is a text file and go from there, otherwise step through the binary formats.
Rearranged the code so that text files are tried first.
>
>>
>>
>>
>> In external CA, the error message when specifying a certificate but not
>> the CA could be improved:
>> $ ipa-server-install --external_cert_file ~/p/Certificate_Authority_8.cer
>> ...
>> CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in
>> /home/pviktori/p/Certificate_Authority_8.cer is not valid:
>> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
Fixed.
>>
>>
>>
>> For CA-less, I used a combination of files with which server
>> installation went well, but replica-install failed halfway through:
>>
>> Console:
>> ...
>> [16/36]: creating indices
>> [17/36]: enabling referential integrity plugin
>> [18/36]: configuring ssl for ds instance
>> [error] RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>> Log tail:
>>
>> 2014-09-26T15:05:43Z DEBUG Starting external process
>> 2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d'
>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i'
>> '/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k'
>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w'
>> '/dev/stdin'
>> 2014-09-26T15:05:43Z DEBUG Process finished, return code=17
>> 2014-09-26T15:05:43Z DEBUG stdout=
>> 2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified:
>> SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
>>
>> 2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 370, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 360, in run_step
>> method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 600, in __enable_ssl
>> trust_flags=trust_flags)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 1030, in create_from_pkcs12
>> self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 971, in import_pkcs12
>> pkcs12_passwd=pkcs12_passwd)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 191, in import_pkcs12
>> pkcs12_filename)
>> RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>> 2014-09-26T15:05:43Z DEBUG [error] RuntimeError: incorrect password
>> for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>> 2014-09-26T15:05:43Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 644, in run_script
>> return_value = main_function()
>>
>> File "/sbin/ipa-replica-install", line 677, in main
>> ds = install_replica_ds(config)
>>
>> File "/sbin/ipa-replica-install", line 190, in install_replica_ds
>> ca_file=config.dir + "/ca.crt",
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 354, in create_replica
>> self.start_creation(runtime=60)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 370, in start_creation
>> run_step(full_msg, method)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 360, in run_step
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 600, in __enable_ssl
>> trust_flags=trust_flags)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 1030, in create_from_pkcs12
>> self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 971, in import_pkcs12
>> pkcs12_passwd=pkcs12_passwd)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 191, in import_pkcs12
>> pkcs12_filename)
>>
>> 2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: incorrect password for pkcs#12 file
>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>
>>
>> I'll attach the files for reference; the options for ipa-server-install
>> and ipa-replica-prepare were:
>>
>> --http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>> --http-cert-file
>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin
>> 12345678 --dirsrv-cert-file
>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
>> --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>> --dirsrv-pin 12345678
Fixed.
Updated patches attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-336.2-Add-NSSDatabase.import_files-method-for-importing-fi.patch
Type: text/x-patch
Size: 9351 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-337.2-External-CA-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 26469 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-338.2-CA-less-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 46851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-339.2-Allow-choosing-CA-less-server-certificates-by-name.patch
Type: text/x-patch
Size: 9601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/5b69a5ca/attachment-0003.bin>
More information about the Freeipa-devel
mailing list