[Freeipa-users] Reports and questions

Rob Crittenden rcritten at redhat.com
Mon May 3 17:23:20 UTC 2010 

Marc Schlinger wrote:
> Le 03/05/2010 17:38, Rob Crittenden a écrit :
>> Marc Schlinger wrote:
>>> Hello,
>>>
>>> I tried to install freeipa with certs management. I did manage after 
>>> a problem.
>>>
>>> 1°) The installation was unable to finished on a french localized 
>>> system.
>>> The error at stage  [3/15]: configuring certificate server instance 
>>> was something like
>>>
>>> java.utils.MissingResourceException can't find bundle for base name 
>>> LogMessages, locale fr_FR.UTF-8
>>> full log at then end
>>>
>>> It's a dogtag error but since I had it while installing freeipa, I 
>>> report it to you.
>>>
>>> Finally, for the installation i used a fresh fedora 12 with 
>>> en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12,
>>> and I activate the testing repos as advised in this thread: 
>>> [Freeipa-users] call implemented methods via xml-rpc.
>>
>> Yes, I have this on my list to try to work around. I'm going to set 
>> the en_US locale while we're installing dogtag, I just don't know what 
>> this will do post-installation, if things will again blow up.
>>
>> I opened a new bug on this against dogtag, 
>> https://bugzilla.redhat.com/show_bug.cgi?id=588375
>>
>>>
>>> I tried to play a little with certificates mostly to replace puppet 
>>> certificate management by the freeipa ones
>>> 2°) I wasn't able to do a ipa cert-request 
>>> --principal=my/test.domain.com my.csr
>>> I had this error:
>>> ipa: ERROR: Certificate operation cannot be completed: Failure 
>>> decoding Certificate Signing Request
>>>
>>> It seems that it was a forgetten line in ipalib/pkcs10.py
>>> here's the patch:
>>>
>>> --- /tmp/pkcs10.py    2010-05-03 16:02:22.929018799 +0200
>>> +++ ipalib/pkcs10.py    2010-05-03 16:02:09.855940583 +0200
>>> @@ -52,6 +52,7 @@
>>>          namedtype.NamedType('universalString', 
>>> char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>>> MAX))),
>>>          namedtype.NamedType('utf8String', 
>>> char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>>> MAX))),
>>>          namedtype.NamedType('bmpString', 
>>> char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>>> MAX))),
>>> +        namedtype.NamedType('ia5string', 
>>> char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, 
>>> MAX))),
>>>          )
>>
>> Hmm. The python-pyasn1 x509.py sample has ia5string defined as well 
>> but it isn't in RFC 3280 as a supported type for DirectoryString. I 
>> can go ahead and add it in. Can you send me a certificate that is not 
>> being parsed by the current pkcs10 module?
>>
>>> that's all for the report, now I have a question:
>>>
>>> Is/Will freeipa integrate smart token authenticaurbeion?
>>> In this page : http://freeipa.org/page/Certificate_Management
>>> You said that "There is no requirement to provision user 
>>> certificates.". Smart key authentication require user certificates.
>>
>> We aren't planning on supporting client certificates for v2. We may 
>> add support at some point but it hasn't been planned, designed, etc. 
>> Since we use dogtag if/when we implement support for client certs then 
>> tokens should be part of that.
>>
>> rob
> 
> Rob,
> I'am confused, I'm totally wrong.
> This patch is absolutly useless.
> 
> the only way to make ipa cert-request going wrong is omitting -newhdr 
> option whith openssl then the header and footer:
> 
> -----BEGIN CERTIFICATE REQUEST-----
> MII....
> -----END CERTIFICATE REQUEST-----
> 
> whereas with the newhdr option we have the header and footer like this:
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MII....
> -----END NEW CERTIFICATE REQUEST-----

Ok, I thought I handled this, I guess not.

> 
> p.s: I really had problems without the ia5string stuff. I'm not crazy! 
> am I?

I don't think so, I just didn't run into it myself. It could be because 
you use openssl to create the CSR and I used the NSS tools. Or it could 
be because your locale is different, or the phase of the moon, who knows 
:-) The pyasn1 guys have a code comment questioning why ia5string is 
needed as well:  # hm, this should not be here!? XXX If we're going to 
get requests with ia5strings I'm ok with adding support to the parser.

The reason I asked for the cert sample was so I would be able to test 
the fix end-to-end, and perhaps incorporate it into our test suite.

rob

More information about the Freeipa-users mailing list