On Thu, 2011-06-23 at 17:00 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: > >>> A dogtag replica file is created as usual. When the replica is installed > >>> dogtag is optional and not installed by default. Adding the --setup-ca > >>> option will configure it when the replica is installed. > >>> > >>> A new tool ipa-ca-install will configure dogtag if it wasn't configured > >>> when the replica was initially installed. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1251 > >>> > >>> See the ticket for testing suggestions. > >>> > >>> rob > >> > >> I have found some issues with the patch: > >> > >> 1) Man page: > >> - missing man file in man folder's Makefile.am > >> - missing man file in the spec -> man is not installed > > > > Yeah, I realized that after I submitted it. > > > >> > >> 2) Missing ipa-ca-install in install/po/Makefile.in > > > > Oh, ipa-dns-install is missing too, I'll fix it. > > > >> > >> 3) ipa-ca-install: > >> - expand_info, read_info, get_host_name or install_ca: functions are > >> copied from ipa-replica-install tool. Having a lot of redundant code > >> leads to the dark side. Calling these functions from a common library > >> seems more convenient to me. > > > > Yeah, I'll see about pulling some of that into installutils.py. > > install_ca is different depending on context though, I'll have to see > > how complex the conditionals become if I combine them. > > > >> > >> 4) man ipa-ca-install: > >> > >> +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR > >> > >> is not consistent with > >> > >> +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= > >> \fIADMIN_PASSWORD\fR > >> > >> (missing DM_PASSWORD placeholder after "-p") > > > > Ok, we'll need to check the ipa-replica-install man page too, I based > > this on that. > > > >> > >> > >> 5) Now the real problem - when I am installing a replica I got a strange > >> error: > >> > >> # > >> ipa-replica-install > >> /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca > >> -w secret123 > >> Directory Manager (existing master) password: > >> > >> Run connection check to master > >> Check connection from replica to remote master > >> 'vm-099.idm.lab.bos.redhat.com': > >> Directory Service: Unsecure port (389): OK > >> Directory Service: Secure port (636): OK > >> Kerberos (88): OK > >> PKI-CA: Directory Service port (7389): OK > >> PKI-CA: Agent secure port (9443): OK > >> PKI-CA: EE secure port (9444): OK > >> PKI-CA: Admin secure port (9445): OK > >> PKI-CA: EE secure client auth port (9446): OK > >> PKI-CA: Unsecure port (9180): OK > >> > >> Connection from replica to master is OK. > >> Start listening on required ports for remote master check > >> Get credentials to log in to remote master > >> Execute check on remote master > >> Check connection from master to remote replica > >> 'vm-060.idm.lab.bos.redhat.com': > >> Directory Service: Unsecure port (389): OK > >> Directory Service: Secure port (636): OK > >> Kerberos (88): OK > >> PKI-CA: Directory Service port (7389): OK > >> PKI-CA: Agent secure port (9443): OK > >> PKI-CA: EE secure port (9444): OK > >> PKI-CA: Admin secure port (9445): OK > >> PKI-CA: EE secure client auth port (9446): OK > >> PKI-CA: Unsecure port (9180): OK > >> > >> Connection from master to replica is OK. > >> > >> Connection check OK > >> Configuring ntpd > >> [1/4]: stopping ntpd > >> [2/4]: writing configuration > >> [3/4]: configuring ntpd to start on boot > >> [4/4]: starting ntpd > >> done configuring ntpd. > >> Configuring directory server for the CA: Estimated time 30 seconds > >> [1/3]: creating directory server user > >> [2/3]: creating directory server instance > >> [3/3]: restarting directory server > >> done configuring pkids. > >> creation of replica failed: Incorrect padding > >> > >> Your system may be partly configured. > >> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> > >> > >> /var/log/ipareplica-install.log: > >> ... > >> 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil > >> -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a > >> 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- > >> MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M > >> TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M > >> dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M > >> RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M > >> b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M > >> 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M > >> TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M > >> jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M > >> 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M > >> h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M > >> 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M > >> vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M > >> bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M > >> AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M > >> AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M > >> p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M > >> Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M > >> uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M > >> oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M > >> HMOJrmcjFGoa/eL65JwmiFVl > >> -----END CERTIFICATE----- > >> > >> 2011-06-23 08:37:35,908 DEBUG stderr= > >> 2011-06-23 08:37:35,914 DEBUG Incorrect padding > >> File "/usr/sbin/ipa-replica-install", line 560, in<module> > >> main() > >> > >> File "/usr/sbin/ipa-replica-install", line 502, in main > >> (CA, cs) = install_ca(config) > >> > >> File "/usr/sbin/ipa-replica-install", line 173, in install_ca > >> cs.load_pkcs12() > >> > >> File > >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > >> 325, in load_pkcs12 > >> self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) > >> > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > >> line 449, in get_cert_from_db > >> dercert = base64.b64decode(cert) > >> > >> File "/usr/lib64/python2.7/base64.py", line 76, in b64decode > >> raise TypeError(msg) > >> > >> > >> Any idea what could cause this? This was run on clean VMs with your > >> patch on top of master branch. > > > > It means that the blob I ended up with wasn't properly base64-encoded. > > It could mean I missed a header/footer or something else. I'll see if I > > can reproduce. > > I think I've addressed all your concerns. I wasn't able to reproduce the > crash but I can see what caused it: we passed in a cert with a > header/footer to base64.b64decode(). I added a call to > x509.strip_header() which should fix it up. > > rob
Yep, it fixed the Incorrect padding error. I successfully tested certificate operations (cert-request, cert-show) on a replica and both CA replication when CA was installed on replica and CA operation redirection worked fine. I have just one certificate related issue: 1) When CA on a replica was installed using ipa-ca-install and not ipa-replica-install REPLICA_FILE --setup-ca the certificate serial number in cert-request operation was from the same number range. In my case it was s.no. 22 after ipa-ca-install and 268369922 in ipa-replica-install --setup-ca scenario. Then I found some more minor documentation issues: 2) man ipa-ca-install - wrong formatting in --debug option - entire line is bold - description on the first line needs to be fixed 3) man ipa-replica-install - missing setup-ca option To sum it up, when these 3 issues are fixed I think the patch is ready to be acked. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel