Jan Cholasta wrote:
On 16.6.2011 15:12, Rob Crittenden wrote:
Rob Crittenden wrote:
Jan Cholasta wrote:
On 14.6.2011 15:16, Rob Crittenden wrote:
Jan Cholasta wrote:
On 6.6.2011 21:25, Rob Crittenden wrote:
Jan Cholasta wrote:
On 26.4.2011 22:52, Rob Crittenden wrote:
The goal is to not import foreign certificates.

This caused a bunch of tests to fail because we had a hardcoded
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test

ticket 1134



The certificate isn't verified in host-add.

I suspect that certificates signed by an intermediate CA (i.e. when
certificate chain length > 2) are considered invalid. Is that the
desired behavior?

That will work as long as the issuer is the IPA CA. I see that if we
given a service cert issued by another CA in the chain things
could go
badly. I'm not sure this is something to really worry about though.

I guess it's not. But I'd like a second opinion on that.

We really only want to support those certs we issue otherwise things
like revocation get tricky, because we can't manage things we don't

make-testcert fails with:

Traceback (most recent call last):
File "./make-testcert", line 126, in <module>
File "./make-testcert", line 105, in makecert
File "./make-testcert", line 66, in run
result = self.execute(method, *args, **options)
File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in
raise error #pylint: disable=E0702
ipalib.errors.CommandError: unknown command 'cert_request'

This is probably an error on my part (tried running in on both my
machine without IPA installed and on VM with IPA installed with no
luck), but nonetheless it should be fixed to fail gracefully so
tests in "make test" have a chance to run. Similarly, the tests
use the test certificate created by make-testcert should be
skipped if
the certificate isn't available.

You need to take the certificate databases from a self-signed
and copy them to ~/.ipa/alias/ in order to do certificate testing.
is documentation on how to do this in tests/test_xmlrpc/test_cert.py

I think this should be mandatory as certificates are a main
feature of

No matter what I do, I'm still getting the unknown command error. Can
you describe the steps needed to make make-testcert successfully run?

BTW, it would be nice if "make test" printed an informational message
when the requirements to run the tests aren't met instead of failing
with some random error.

You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
comment out the xmlrpc_uri. This is now caught by the script.


These tests fail:

test_host[19]: service_mod: Update
u'HTTP/testhost1.idm.lab.bos.redhat....@idm.lab.bos.redhat.com' ...
test_host[20]: service_show: Retrieve
u'HTTP/testhost1.idm.lab.bos.redhat....@idm.lab.bos.redhat.com' to
verify update ... FAIL

because they expect the CN to be puma.greyoak.com. I'm not sure if this
issue is in the scope of this patch - if it's not, then ACK.

I'll fix them up.




pushed to master and ipa-2-0

Freeipa-devel mailing list

Reply via email to