[Freeipa-users] Reports and questions
Rob Crittenden
rcritten at redhat.com
Mon May 3 17:23:20 UTC 2010
Marc Schlinger wrote:
> Le 03/05/2010 17:38, Rob Crittenden a écrit :
>> Marc Schlinger wrote:
>>> Hello,
>>>
>>> I tried to install freeipa with certs management. I did manage after
>>> a problem.
>>>
>>> 1°) The installation was unable to finished on a french localized
>>> system.
>>> The error at stage [3/15]: configuring certificate server instance
>>> was something like
>>>
>>> java.utils.MissingResourceException can't find bundle for base name
>>> LogMessages, locale fr_FR.UTF-8
>>> full log at then end
>>>
>>> It's a dogtag error but since I had it while installing freeipa, I
>>> report it to you.
>>>
>>> Finally, for the installation i used a fresh fedora 12 with
>>> en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12,
>>> and I activate the testing repos as advised in this thread:
>>> [Freeipa-users] call implemented methods via xml-rpc.
>>
>> Yes, I have this on my list to try to work around. I'm going to set
>> the en_US locale while we're installing dogtag, I just don't know what
>> this will do post-installation, if things will again blow up.
>>
>> I opened a new bug on this against dogtag,
>> https://bugzilla.redhat.com/show_bug.cgi?id=588375
>>
>>>
>>> I tried to play a little with certificates mostly to replace puppet
>>> certificate management by the freeipa ones
>>> 2°) I wasn't able to do a ipa cert-request
>>> --principal=my/test.domain.com my.csr
>>> I had this error:
>>> ipa: ERROR: Certificate operation cannot be completed: Failure
>>> decoding Certificate Signing Request
>>>
>>> It seems that it was a forgetten line in ipalib/pkcs10.py
>>> here's the patch:
>>>
>>> --- /tmp/pkcs10.py 2010-05-03 16:02:22.929018799 +0200
>>> +++ ipalib/pkcs10.py 2010-05-03 16:02:09.855940583 +0200
>>> @@ -52,6 +52,7 @@
>>> namedtype.NamedType('universalString',
>>> char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
>>> MAX))),
>>> namedtype.NamedType('utf8String',
>>> char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
>>> MAX))),
>>> namedtype.NamedType('bmpString',
>>> char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
>>> MAX))),
>>> + namedtype.NamedType('ia5string',
>>> char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
>>> MAX))),
>>> )
>>
>> Hmm. The python-pyasn1 x509.py sample has ia5string defined as well
>> but it isn't in RFC 3280 as a supported type for DirectoryString. I
>> can go ahead and add it in. Can you send me a certificate that is not
>> being parsed by the current pkcs10 module?
>>
>>> that's all for the report, now I have a question:
>>>
>>> Is/Will freeipa integrate smart token authenticaurbeion?
>>> In this page : http://freeipa.org/page/Certificate_Management
>>> You said that "There is no requirement to provision user
>>> certificates.". Smart key authentication require user certificates.
>>
>> We aren't planning on supporting client certificates for v2. We may
>> add support at some point but it hasn't been planned, designed, etc.
>> Since we use dogtag if/when we implement support for client certs then
>> tokens should be part of that.
>>
>> rob
>
> Rob,
> I'am confused, I'm totally wrong.
> This patch is absolutly useless.
>
> the only way to make ipa cert-request going wrong is omitting -newhdr
> option whith openssl then the header and footer:
>
> -----BEGIN CERTIFICATE REQUEST-----
> MII....
> -----END CERTIFICATE REQUEST-----
>
> whereas with the newhdr option we have the header and footer like this:
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MII....
> -----END NEW CERTIFICATE REQUEST-----
Ok, I thought I handled this, I guess not.
>
> p.s: I really had problems without the ia5string stuff. I'm not crazy!
> am I?
I don't think so, I just didn't run into it myself. It could be because
you use openssl to create the CSR and I used the NSS tools. Or it could
be because your locale is different, or the phase of the moon, who knows
:-) The pyasn1 guys have a code comment questioning why ia5string is
needed as well: # hm, this should not be here!? XXX If we're going to
get requests with ia5strings I'm ok with adding support to the parser.
The reason I asked for the cert sample was so I would be able to test
the fix end-to-end, and perhaps incorporate it into our test suite.
rob
More information about the Freeipa-users
mailing list