Martin Kosek wrote:
On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote:
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

https://fedorahosted.org/freeipa/ticket/1251

See the ticket for testing suggestions.

rob

I have found some issues with the patch:

1) Man page:
- missing man file in man folder's Makefile.am
- missing man file in the spec ->  man is not installed

Yeah, I realized that after I submitted it.


2) Missing ipa-ca-install in install/po/Makefile.in

Oh, ipa-dns-install is missing too, I'll fix it.


3) ipa-ca-install:
- expand_info, read_info, get_host_name or install_ca: functions are
copied from ipa-replica-install tool. Having a lot of redundant code
leads to the dark side. Calling these functions from a common library
seems more convenient to me.

Yeah, I'll see about pulling some of that into installutils.py. install_ca is different depending on context though, I'll have to see how complex the conditionals become if I combine them.


4) man ipa-ca-install:

+\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR

is not consistent with

+\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=
\fIADMIN_PASSWORD\fR

(missing DM_PASSWORD placeholder after "-p")

Ok, we'll need to check the ipa-replica-install man page too, I based this on that.



5) Now the real problem - when I am installing a replica I got a strange
error:

#
ipa-replica-install /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg 
--setup-ca -w secret123
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master
'vm-099.idm.lab.bos.redhat.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos (88): OK
    PKI-CA: Directory Service port (7389): OK
    PKI-CA: Agent secure port (9443): OK
    PKI-CA: EE secure port (9444): OK
    PKI-CA: Admin secure port (9445): OK
    PKI-CA: EE secure client auth port (9446): OK
    PKI-CA: Unsecure port (9180): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica
'vm-060.idm.lab.bos.redhat.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos (88): OK
    PKI-CA: Directory Service port (7389): OK
    PKI-CA: Agent secure port (9443): OK
    PKI-CA: EE secure port (9444): OK
    PKI-CA: Admin secure port (9445): OK
    PKI-CA: EE secure client auth port (9446): OK
    PKI-CA: Unsecure port (9180): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
   [3/3]: restarting directory server
done configuring pkids.
creation of replica failed: Incorrect padding

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


/var/log/ipareplica-install.log:
...
2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil
-d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a
2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M
TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M
dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M
RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M
b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M
8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M
TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M
jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M
3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M
h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M
5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M
vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M
bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M
AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M
AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M
p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M
Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M
uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M
oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M
HMOJrmcjFGoa/eL65JwmiFVl
-----END CERTIFICATE-----

2011-06-23 08:37:35,908 DEBUG stderr=
2011-06-23 08:37:35,914 DEBUG Incorrect padding
   File "/usr/sbin/ipa-replica-install", line 560, in<module>
     main()

   File "/usr/sbin/ipa-replica-install", line 502, in main
     (CA, cs) = install_ca(config)

   File "/usr/sbin/ipa-replica-install", line 173, in install_ca
     cs.load_pkcs12()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
325, in load_pkcs12
     self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 449, in get_cert_from_db
     dercert = base64.b64decode(cert)

   File "/usr/lib64/python2.7/base64.py", line 76, in b64decode
     raise TypeError(msg)


Any idea what could cause this? This was run on clean VMs with your
patch on top of master branch.

It means that the blob I ended up with wasn't properly base64-encoded. It could mean I missed a header/footer or something else. I'll see if I can reproduce.

thanks

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to