On 10/04/2012 06:17 PM, Rob Crittenden wrote: > This changes the way IPA generates CRLs for new installs only. > > The first master installed is configured as the CRL generator. An entry is > added to cn=masters that designates it. > > When a replica is installed it queries this entry so it knows where to forward > CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will > return not found). It is possible to get a CRL directly from the clone CA via > http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL > > rob
I tested new IPA server + replica with your patch and the CRL was now generated only on the CRL master. I also tried OCSP (though this may not be relevant) and it worked for me too. 1) I do not understand the following block in set_crl_master(self, suffix): + try: + self.admin_conn.addEntry(entry) + except ldap.ALREADY_EXISTS, e: + root_logger.debug("failed to set CA as CRL generator") + raise e - when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL is set, right? - AFAIK, addEntry should return our errors, i.e. errors.DuplicateEntry - s/raise e/raise/ I think you may have wanted to rather catch for more general LDAP error and then report a real error and not just a debug note. 2) In get_crl_master: + except Exception, e: + root_logger.debug("Could not connect to the Directory Server on %s: %s" % (master_host, str(e))) + raise e s/raise e/raise/ + except errors.NotFound, e: + root_logger.debug("failed to find CA CRL generator") + self.crl_master = None - e is actually not used, "except errors.NotFound" would be enough 3) Majorish issue I hit with the actual CRL publishing on our server (F17). I always get 403 Forbidden error when trying to download CRL from the CRL master: # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin --2012-10-05 03:32:58-- https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120 Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2012-10-05 03:32:58 ERROR 403: Forbidden. I tracked the problem down to too strict permission on /var/lib/pki-ca directory which is being published by httpd which does not have access to it: # ll /var/lib/pki-ca drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 03:00 pki-ca When I fixed the permission: # chmod o+x /var/lib/pki-ca/ I was able to get pass the Forbidden error and actually retrieved the CRL. Adding Ade on CC list to follow on this permission issue. I was thinking about usability of this new approach, we may want to make user life easier in a perspective of CRL master managing. I have following enhancements in mind: - mark CRL master in ipa-replica-manage list, or ipa-csreplica-manage list: # ipa-csreplica-manage list Directory Manager password: vm-065.idm.lab.bos.redhat.com: master [CRL] vm-120.idm.lab.bos.redhat.com: master - when removing master with CRL by "ipa-replica-manage del" we should warn user and inform him what he should do next to amend the situation. I am thinking about 2 new commands for ipa-csreplica-manage: * ipa-csreplica-manage crl-promote - promote current master as the new CRL master, enable CRL generation in CS.cfg, mark master as the new CRL master in cn=masters * ipa-csreplica-manage crl-update - update CS.cfg of current CA replica and point master.ca.agent.* to current CRL master I can work on those enhancements if we agree on them. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel