Martin Kosek wrote:
On Wed, 2012-03-07 at 16:50 -0500, Rob Crittenden wrote:
I discovered today that cert-request was failing with an untrusted CA error.

The problem had to do with the NSS no_init patch. We were setting dbdir
in the connection object too soon so it was comparing itself to itself
and always determined that NSS was initialized just fine. This needs to
be moved after the check.

To test this you need a master, a replica and a client with DNS set up
and SRV records for both servers.

You need two or more servers so we run the ping() test. This is where
the client was failing before. What would happen is this:

- initialize NSS
- run ping() against a server
- prepare request
- initialize NSS

That second initialization isn't needed and is correctly caught by the
code with this patch.

You need to test that a client enrollment works and that ipa
cert-request works.

cert-request was failing because we initialize NSS with nodb so we can
load the CSR for validation. Because dbdir was set too early in the
connection we were getting no_init set improperly and nss_shutdown()
wasn't being called.


Works for me, ACK.

Please enhance testing instructions in the ticket. I had some issues
reproducing the problem myself, but your advice sent off-list helped me.
This should be enough.


pushed to master and ipa-2-2

Freeipa-devel mailing list

Reply via email to