On 10/10/2012 12:46 AM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 10/09/2012 04:43 PM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> On 10/04/2012 06:17 PM, Rob Crittenden wrote:
>>>>>> This changes the way IPA generates CRLs for new installs only.
>>>>>>
>>>>>> The first master installed is configured as the CRL generator. An
>>>>>> entry is
>>>>>> added to cn=masters that designates it.
>>>>>>
>>>>>> When a replica is installed it queries this entry so it knows where
>>>>>> to forward
>>>>>> CRL requests. CRL files are not available on cloned CAs (so
>>>>>> /ipa/crl will
>>>>>> return not found). It is possible to get a CRL directly from the
>>>>>> clone CA via
>>>>>> http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>>>>>
>>>>>>
>>>>>> rob
>>>>>
>>>>> I tested new IPA server + replica with your patch and the CRL was
>>>>> now generated
>>>>> only on the CRL master. I also tried OCSP (though this may not be
>>>>> relevant) and
>>>>> it worked for me too.
>>>>>
>>>>> 1) I do not understand the following block in set_crl_master(self,
>>>>> suffix):
>>>>>
>>>>> + try:
>>>>> + self.admin_conn.addEntry(entry)
>>>>> + except ldap.ALREADY_EXISTS, e:
>>>>> + root_logger.debug("failed to set CA as CRL generator")
>>>>> + raise e
>>>>>
>>>>> - when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL
>>>>> is set,
>>>>> right?
>>>>> - AFAIK, addEntry should return our errors, i.e. errors.DuplicateEntry
>>>>> - s/raise e/raise/
>>>>>
>>>>> I think you may have wanted to rather catch for more general LDAP
>>>>> error and
>>>>> then report a real error and not just a debug note.
>>>>>
>>>>> 2) In get_crl_master:
>>>>>
>>>>> + except Exception, e:
>>>>> + root_logger.debug("Could not connect to the Directory
>>>>> Server on
>>>>> %s: %s" % (master_host, str(e)))
>>>>> + raise e
>>>>>
>>>>> s/raise e/raise/
>>>>>
>>>>> + except errors.NotFound, e:
>>>>> + root_logger.debug("failed to find CA CRL generator")
>>>>> + self.crl_master = None
>>>>>
>>>>> - e is actually not used, "except errors.NotFound" would be enough
>>>>>
>>>>> 3) Majorish issue I hit with the actual CRL publishing on our server
>>>>> (F17). I
>>>>> always get 403 Forbidden error when trying to download CRL from the
>>>>> CRL master:
>>>>>
>>>>> # wget --ca-certificate /etc/ipa/ca.crt
>>>>> https://`hostname`/ipa/crl/MasterCRL.bin
>>>>> --2012-10-05 03:32:58--
>>>>> https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
>>>>> Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
>>>>> Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443...
>>>>> connected.
>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>> 2012-10-05 03:32:58 ERROR 403: Forbidden.
>>>>>
>>>>> I tracked the problem down to too strict permission on /var/lib/pki-ca
>>>>> directory which is being published by httpd which does not have
>>>>> access to it:
>>>>>
>>>>> # ll /var/lib/pki-ca
>>>>>
>>>>> drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 03:00 pki-ca
>>>>>
>>>>> When I fixed the permission:
>>>>> # chmod o+x /var/lib/pki-ca/
>>>>>
>>>>> I was able to get pass the Forbidden error and actually retrieved
>>>>> the CRL.
>>>>> Adding Ade on CC list to follow on this permission issue.
>>>>>
>>>>>
>>>>> I was thinking about usability of this new approach, we may want to
>>>>> make user
>>>>> life easier in a perspective of CRL master managing. I have following
>>>>> enhancements in mind:
>>>>>
>>>>> - mark CRL master in ipa-replica-manage list, or
>>>>> ipa-csreplica-manage list:
>>>>>
>>>>> # ipa-csreplica-manage list
>>>>> Directory Manager password:
>>>>>
>>>>> vm-065.idm.lab.bos.redhat.com: master [CRL]
>>>>> vm-120.idm.lab.bos.redhat.com: master
>>>>>
>>>>> - when removing master with CRL by "ipa-replica-manage del" we
>>>>> should warn user
>>>>> and inform him what he should do next to amend the situation. I am
>>>>> thinking
>>>>> about 2 new commands for ipa-csreplica-manage:
>>>>>
>>>>> * ipa-csreplica-manage crl-promote
>>>>> - promote current master as the new CRL master, enable CRL
>>>>> generation in
>>>>> CS.cfg, mark master as the new CRL master in cn=masters
>>>>> * ipa-csreplica-manage crl-update
>>>>> - update CS.cfg of current CA replica and point
>>>>> master.ca.agent.* to current
>>>>> CRL master
>>>>>
>>>>> I can work on those enhancements if we agree on them.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Andrew provided some feedback out-of-band and my solution was overly
>>>> complex.
>>>> Here is a much simpler patch which does away with all the hand-waving
>>>> around
>>>> knowing who the CRL generator is.
>>>>
>>>> rob
>>>
>>> This looks OK code-wise, I will wait for dogtag guys to confirm that
>>> this is
>>> the right approach.
>>>
>>> Btw. I think we may want to file a RFE to implement some command to
>>> promote a
>>> replica to CRL master (like "ipa-csreplica-manage crl-promote" proposed
>>> earlier). Users may want to promote a replica when the master crashes
>>> or is to
>>> be replaced. Some way to migrate CRL list (if not replicated already)
>>> to the
>>> promoted replica would also be needed.
>>>
>>> Martin
>>>
>>
>> Andrew suggested I specify that we do not monitor cloned revocations on
>> the server not generating CRLs, so I added that.
>>
>> The last question is what we do about redirecting users on the
>> non-generating masters.
>>
>> We can do it easily with a line like this in Apache:
>>
>> RewriteRule ^/ipa/crl/MasterCRL.bin
>> https://$FQDN:9444/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>> [L,R=301,NC]
>>
>> The tricky part is writing this properly. The CA can be added
>> post-install so I don't think simply adding this to ipa-rewrite.conf
>> will work well. Is adding another template configuration file for Apache
>> overkill?
>>
>> rob
>
> Here is my WIP for auto-configuring redirect on clones. It works ok for me and
> isn't too invasive IMHO. The basic idea is to allow proxying of the getCRL
> servlet and redirect to that on requests to the clone server.
>
> Browsing won't work, but you can fetch the MasterCRL.bin with:
>
> # wget --ca-certificate=/etc/ipa/ca.crt
> http://replica.example.com/ipa/crl/MasterCRL.bin
>
> diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
> index 20c0921..8c4f3a9 100644
> --- a/install/conf/ipa-pki-proxy.conf
> +++ b/install/conf/ipa-pki-proxy.conf
> @@ -3,7 +3,7 @@
> ProxyRequests Off
>
> # matches for ee port
> -<LocationMatch
> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
>
> +<LocationMatch
> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
>
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> ProxyPassMatch ajp://localhost:$DOGTAG_PORT
> @@ -25,3 +25,6 @@ ProxyRequests Off
> ProxyPassMatch ajp://localhost:$DOGTAG_PORT
> ProxyPassReverse ajp://localhost:$DOGTAG_PORT
> </LocationMatch>
> +
> +# Only enable this on servers that are not generating a CRL
> +${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin
> https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
> diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
> index 0ac895e..aabbba3 100644
> --- a/ipaserver/install/cainstance.py
> +++ b/ipaserver/install/cainstance.py
> @@ -1304,7 +1304,11 @@ class CAInstance(service.Service):
>
> def __http_proxy(self):
> template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
> - sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
> + sub_dict = dict(
> + DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
> + CLONE='' if self.clone else '#',
> + FQDN=self.fqdn,
> + )
> template = ipautil.template_file(template_filename, sub_dict)
> with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
> fd.write(template)
The approach looks OK, just please do not forget to also add CLONE to sub_dict
in ipa-upgradeconfig, it just crashed when I was testing the change:
CRL tree already moved
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/sbin/ipa-upgradeconfig", line 601, in main
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR
+ "ipa-pki-proxy.conf", add=True)
File "/sbin/ipa-upgradeconfig", line 187, in upgrade
update_conf(sub_dict, filename, template)
File "/sbin/ipa-upgradeconfig", line 110, in update_conf
template = ipautil.template_file(template_filename, sub_dict)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 228, in
template_file
return template_str(f.read(), vars)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 215, in
template_str
val = string.Template(txt).substitute(vars)
File "/usr/lib64/python2.7/string.py", line 172, in substitute
return self.pattern.sub(convert, self.template)
File "/usr/lib64/python2.7/string.py", line 162, in convert
val = mapping[named]
The ipa-upgradeconfig command failed, exception: KeyError: 'CLONE'
Unexpected error
KeyError: 'CLONE'
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
