[Freeipa-users] Reports and questions

Marc Schlinger marc.schlinger at agorabox.org
Mon May 3 16:07:00 UTC 2010 

Le 03/05/2010 17:38, Rob Crittenden a écrit :
> Marc Schlinger wrote:
>> Hello,
>>
>> I tried to install freeipa with certs management. I did manage after 
>> a problem.
>>
>> 1°) The installation was unable to finished on a french localized 
>> system.
>> The error at stage  [3/15]: configuring certificate server instance 
>> was something like
>>
>> java.utils.MissingResourceException can't find bundle for base name 
>> LogMessages, locale fr_FR.UTF-8
>> full log at then end
>>
>> It's a dogtag error but since I had it while installing freeipa, I 
>> report it to you.
>>
>> Finally, for the installation i used a fresh fedora 12 with 
>> en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12,
>> and I activate the testing repos as advised in this thread: 
>> [Freeipa-users] call implemented methods via xml-rpc.
>
> Yes, I have this on my list to try to work around. I'm going to set 
> the en_US locale while we're installing dogtag, I just don't know what 
> this will do post-installation, if things will again blow up.
>
> I opened a new bug on this against dogtag, 
> https://bugzilla.redhat.com/show_bug.cgi?id=588375
>
>>
>> I tried to play a little with certificates mostly to replace puppet 
>> certificate management by the freeipa ones
>> 2°) I wasn't able to do a ipa cert-request 
>> --principal=my/test.domain.com my.csr
>> I had this error:
>> ipa: ERROR: Certificate operation cannot be completed: Failure 
>> decoding Certificate Signing Request
>>
>> It seems that it was a forgetten line in ipalib/pkcs10.py
>> here's the patch:
>>
>> --- /tmp/pkcs10.py    2010-05-03 16:02:22.929018799 +0200
>> +++ ipalib/pkcs10.py    2010-05-03 16:02:09.855940583 +0200
>> @@ -52,6 +52,7 @@
>>          namedtype.NamedType('universalString', 
>> char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>> MAX))),
>>          namedtype.NamedType('utf8String', 
>> char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>> MAX))),
>>          namedtype.NamedType('bmpString', 
>> char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), 
>>
>> +        namedtype.NamedType('ia5string', 
>> char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), 
>>
>>          )
>
> Hmm. The python-pyasn1 x509.py sample has ia5string defined as well 
> but it isn't in RFC 3280 as a supported type for DirectoryString. I 
> can go ahead and add it in. Can you send me a certificate that is not 
> being parsed by the current pkcs10 module?
>
>> that's all for the report, now I have a question:
>>
>> Is/Will freeipa integrate smart token authenticaurbeion?
>> In this page : http://freeipa.org/page/Certificate_Management
>> You said that "There is no requirement to provision user 
>> certificates.". Smart key authentication require user certificates.
>
> We aren't planning on supporting client certificates for v2. We may 
> add support at some point but it hasn't been planned, designed, etc. 
> Since we use dogtag if/when we implement support for client certs then 
> tokens should be part of that.
>
> rob

Rob,
I'am confused, I'm totally wrong.
This patch is absolutly useless.

the only way to make ipa cert-request going wrong is omitting -newhdr 
option whith openssl then the header and footer:

-----BEGIN CERTIFICATE REQUEST-----
MII....
-----END CERTIFICATE REQUEST-----

whereas with the newhdr option we have the header and footer like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MII....
-----END NEW CERTIFICATE REQUEST-----


p.s: I really had problems without the ia5string stuff. I'm not crazy! am I?

More information about the Freeipa-users mailing list