[Freeipa-users] Failure decoding Certificate Signing Request

Thomson, Ryan ryan.thomson at ubc.ca
Tue Oct 29 21:54:54 UTC 2013 

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Thomson, Ryan
> Sent: Friday, October 25, 2013 11:17 AM
> To: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request

[snip]

> > > I'm not sure what to make of this.
> >
> > This is just more confirmation that the IPA framework is trying to
> > initialize NSS for some reason. It should never do this which is why
> > it is failing so spectacularly.
> >
> > Can you provide nss.conf and ipa.conf from /etc/httpd/conf.d?
> >
> > Who owns and what are the permissions of /etc/httpd/alias/*.db?
> >
> > thanks
> >
> > rob

[snip]

After further troubleshooting and trying too many crazy things, I was finally able to "hack" FreeIPA into renewing the certificates. Behold the terrible hack, it is quite awful and certainly not an actual fix.

During my troubleshooting, I kept coming back to the getpass EOFError:

[Sat Sep 28 03:48:17 2013] [error] /usr/lib64/python2.6/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
[Sat Sep 28 03:48:17 2013] [error]   passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:17 2013] [error] Warning: Password input may be echoed.
[Sat Sep 28 03:48:17 2013] [error] Enter password for internal: 
[Sat Sep 28 03:48:17 2013] [error] exception in PK11 password callback
[Sat Sep 28 03:48:17 2013] [error] Traceback (most recent call last):
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib/python2.6/site-packages/ipapython/nsslib.py", line 230, in password_callback
[Sat Sep 28 03:48:18 2013] [error]     return getpass.getpass("Enter password for %s: " % slot.token_name);
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 83, in unix_getpass
[Sat Sep 28 03:48:18 2013] [error]     passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 118, in fallback_getpass
[Sat Sep 28 03:48:18 2013] [error]     return _raw_input(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 135, in _raw_input
[Sat Sep 28 03:48:18 2013] [error]     raise EOFError
[Sat Sep 28 03:48:18 2013] [error] EOFError

So eventually I found my way into /usr/lib/python2.6/site-packages/ipapython/nsslib.py and the getpass password_callback function. Instead of allowing the password_callback() to return "getpass.getpass("Enter password for %s: " % slot.token_name);", which was rasing the EOFError exception, I simply returned the text string from /etc/httpd/alias/password.conf! 

>From what little I know about python and coding in general, it seems that getpass was trying to read the NSS DB password from somewhere but was reading nothing instead and thus raising EOFError.

I'm not sure what to do about a permanent fix as maintaining the NSS DB password in a source file does seems rather insecure. Given the above, what does a permanent fix actually look like? Is the getpass callback function broken or is my environment broken?

--Ryan

More information about the Freeipa-users mailing list