Dne 25.7.2012 16:01, Rob Crittenden napsal(a):
Petr Viktorin wrote:
On 07/23/2012 10:03 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Andrew Wnuk wrote:
On 07/16/2012 01:35 PM, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
Use the new certmonger capability to be able to renew the dogtag
subsystem certificates (audit, OCSP, etc).

Are the copies of the certificates in the pki-ca CS.cfg file being
updated elsewhere?  Or is it not turning out to be a problem if they

I didn't test validating OCSP signatures but the audit subsystem
seemed fine (it complained wildly when I had the wrong trust in the
NSS db).

Andrew, do I need to update CS.cfg as well?

Yes, you may need update CS.cfg too.

Ok, added a bit to update CS.cfg with the new certificate.

This should fix some SELinux issues preventing certmonger from
monitoring the dogtag certificate database in /var/lib/pki-ca/alias.


I don't know enough about dogtag/certmonger to comment on the
functionality, but there are minor issues I can find. Attaching a patch
to fix them.

`make rpms` fails:

rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
error: %changelog not in descending chronological order
make: *** [rpms] Error 1

`git am` complains:

Applying: Use certmonger to renew CA subsystem certificates
/home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at
/home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at
warning: 2 lines add whitespace errors.

Thanks, integrated this patch and added a missing script, renew_ipacert.



First, a question: I haven't tested this (yet), but what happens when someone uses the --{dirsrv,http,pkinit}_pkcs12 options of ipa-server-install/ipa-replica-prepare? (There are also other options which I suspect may cause trouble, namely --subject and --selfsign.)

install/restart_scripts/renew_ra_cert doesn't seem to be used anywhere.

ipa-replica-install --setup-ca fails with:

  [13/15]: configure clone certificate renewals

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Nickname "ipaCert" doesn't exist in NSS database "/etc/httpd/alias"


2012-07-25T11:49:17Z DEBUG args=/usr/bin/certutil -L -d /etc/httpd/alias -n ipaCert
2012-07-25T11:49:17Z DEBUG stdout=
2012-07-25T11:49:17Z DEBUG stderr=certutil: Could not find cert: ipaCert
: File not found

2012-07-25T11:49:17Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 604, in run_script
    return_value = main_function()

  File "/sbin/ipa-replica-install", line 446, in main
    (CA, cs) = cainstance.install_replica_ca(config)

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1265, in install_replica_ca

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 554, in configure_instance
    self.start_creation("Configuring certificate server", 210)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 261, in start_creation

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1158, in configure_clone_renewal

certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'restart_httpd')

File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 364, in dogtag_start_tracking raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))

2012-07-25T11:49:17Z INFO The ipa-replica-install command failed, exception: RuntimeError: Nickname "ipaCert" doesn't exist in NSS database "/etc/httpd/alias"

(ipa-ca-install doesn't seem to suffer from the above issue.)

On clones, the CN=IPA RA,O=REALM certificate is tracked with post-save command '/usr/lib64/ipa/certmonger/restart_httpd "ipaCert"', but restart_httpd does not take any arguments (it does not break anything, it's just weird).

Comments on individual files follow:


Missing closing parenthesis:

+EXTRA_DIST =                            \
+        $(app_SCRIPTS                   \


Typo ("nicknamd"):

+# We cheat and pass in the nicknamd as the CA profile to execute against.

Are these guaranteed to be upper-case? I'd put operation.upper() here, just to be on the safe side:

+if operation not in ['SUBMIT', 'POLL']:
+    sys.exit(6) # unsupported operation

This except block is not necessary, unhandled exceptions are caught in the except block lower in the code:

+        sys.exit(5)
+    except Exception, e:
+        # Unhandled error
+        sys.exit(3)
+    finally:


You import and initialize api, but then don't use it.


All these scripts could use more exception handling, but I guess potential bugs can be sorted out later.


The ACIs are wrong (Kerberos principal instead of ldap URI in userdn, in 40-delegation.update it is done right).


This is ugly:

+        if sys.maxsize > 2**32:
+            libpath = 'lib64'
+        else:
+            libpath = 'lib'

Is it safe to show the PIN in "getcert -P <PIN>" in logs? If not, please add an appropriate nolog argument to ipautil.run.


Can't we pick one name for pki-cad/pki_cad and use only that?


Please use tabs here instead of spaces:

+        class file read;
+        class file getattr;
+        class file open;

(to be continued)


Jan Cholasta

Freeipa-devel mailing list

Reply via email to