[Freeipa-devel] [PATCHES] 336-339 Installer certificate options usability fixes

Jan Cholasta jcholast at redhat.com
Mon Sep 29 14:32:03 UTC 2014 

Dne 26.9.2014 v 19:40 Jan Cholasta napsal(a):
> Dne 26.9.2014 v 17:37 Rob Crittenden napsal(a):
>> Petr Viktorin wrote:
>>> On 09/24/2014 06:13 PM, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
>>>> and <https://fedorahosted.org/freeipa/ticket/4489>.
>>>>
>>>> (Note that design page for this is TBD.)
>>
>> Isn't this backwards then?
>>
>>>
>>> 336:
>>>
>>> Instead of
>>>      len(data[:match.start() + 1].splitlines())
>>> you can do
>>>      data.count('\n', 0, match.start()) + 1
>
> Unfortunately '\n' is not good enough, we have to check for '\r\n' and
> '\r' as well, hence the use of splitlines.
>
>>>
>>> 337:
>>> The --external_cert_file and --external_ca_file options for
>>> ipa-ca-install are removed, do we really want to do that? Shouldn't they
>>> be deprecated instead?
>>
>> +1
>>
>>>
>>> Same for --external-ca-file in ipa-cacert-manage.
>>
>> +1
>
> IMO it's OK to just remove them, as they were added during 4.1
> development and are not available in any released version of IPA.
>
>
>>
>> I can't say I'm a fan of forcing users to concatenate cert files.
>
> All the --*-cert-file options may be given multiple times.
>
>>
>>>
>>> 338: Looks OK
>>> 339: Looks OK
>>>
>>> Could you add some docstrings to the functions you add? Sometimes it's
>>> harder than necessary to decipher what they do and what the
>>> arguments/return values mean exactly.
>
> Sure.
>
>>>
>>> There is no user-visible documentation on what file types are
>>> expected/supported. It would be good to add this to the man pages, or
>>> the --help.
>
> Added.
>
>>
>> I also wonder if the detection code should be changed. It basically now
>> tries a slew of different mechanisms one at a time rather than trying to
>> identify the type of file and using that one. It may not be possible in
>> all cases but you could at least start by looking for ^----- to know it
>> is a text file and go from there, otherwise step through the binary
>> formats.
>
> Rearranged the code so that text files are tried first.
>
>>
>>>
>>>
>>>
>>> In external CA, the error message when specifying a certificate but not
>>> the CA could be improved:
>>> $ ipa-server-install --external_cert_file
>>> ~/p/Certificate_Authority_8.cer
>>> ...
>>> CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in
>>> /home/pviktori/p/Certificate_Authority_8.cer is not valid:
>>> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
>
> Fixed.
>
>>>
>>>
>>>
>>> For CA-less, I used a combination of files with which server
>>> installation went well, but replica-install failed halfway through:
>>>
>>> Console:
>>> ...
>>>    [16/36]: creating indices
>>>    [17/36]: enabling referential integrity plugin
>>>    [18/36]: configuring ssl for ds instance
>>>    [error] RuntimeError: incorrect password for pkcs#12 file
>>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>>
>>> Log tail:
>>>
>>> 2014-09-26T15:05:43Z DEBUG Starting external process
>>> 2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d'
>>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i'
>>> '/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k'
>>> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w'
>>> '/dev/stdin'
>>> 2014-09-26T15:05:43Z DEBUG Process finished, return code=17
>>> 2014-09-26T15:05:43Z DEBUG stdout=
>>> 2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified:
>>> SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
>>>
>>> 2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 370, in start_creation
>>>      run_step(full_msg, method)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 360, in run_step
>>>      method()
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 600, in __enable_ssl
>>>      trust_flags=trust_flags)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 1030, in create_from_pkcs12
>>>      self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 971, in import_pkcs12
>>>      pkcs12_passwd=pkcs12_passwd)
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 191, in import_pkcs12
>>>      pkcs12_filename)
>>> RuntimeError: incorrect password for pkcs#12 file
>>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>>
>>> 2014-09-26T15:05:43Z DEBUG   [error] RuntimeError: incorrect password
>>> for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>> 2014-09-26T15:05:43Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 644, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/sbin/ipa-replica-install", line 677, in main
>>>      ds = install_replica_ds(config)
>>>
>>>    File "/sbin/ipa-replica-install", line 190, in install_replica_ds
>>>      ca_file=config.dir + "/ca.crt",
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 354, in create_replica
>>>      self.start_creation(runtime=60)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 370, in start_creation
>>>      run_step(full_msg, method)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 360, in run_step
>>>      method()
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 600, in __enable_ssl
>>>      trust_flags=trust_flags)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 1030, in create_from_pkcs12
>>>      self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 971, in import_pkcs12
>>>      pkcs12_passwd=pkcs12_passwd)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>> line 191, in import_pkcs12
>>>      pkcs12_filename)
>>>
>>> 2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed,
>>> exception: RuntimeError: incorrect password for pkcs#12 file
>>> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>>>
>>>
>>> I'll attach the files for reference; the options for ipa-server-install
>>> and ipa-replica-prepare were:
>>>
>>> --http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>>> --http-cert-file
>>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin
>>> 12345678 --dirsrv-cert-file
>>> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
>>> --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
>>> --dirsrv-pin 12345678
>
> Fixed.
>
> Updated patches attached.

Added patch 341 for stricter CA certificate validation which fixes 
<https://fedorahosted.org/freeipa/ticket/4477>.

Updated patches attached.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-336.3-Add-NSSDatabase.import_files-method-for-importing-fi.patch
Type: text/x-patch
Size: 9442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/25a5e64a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-337.3-External-CA-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 26492 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/25a5e64a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-338.3-CA-less-installer-options-usability-fixes.patch
Type: text/x-patch
Size: 46897 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/25a5e64a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-339.3-Allow-choosing-CA-less-server-certificates-by-name.patch
Type: text/x-patch
Size: 9601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/25a5e64a/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-341-Do-stricter-validation-of-CA-certificates.patch
Type: text/x-patch
Size: 3013 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/25a5e64a/attachment-0004.bin>

More information about the Freeipa-devel mailing list