Martin Kosek wrote:
On 10/10/2012 05:29 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 10/10/2012 04:12 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 10/10/2012 12:46 AM, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On 10/09/2012 04:43 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 10/04/2012 06:17 PM, Rob Crittenden wrote:
This changes the way IPA generates CRLs for new installs only.

The first master installed is configured as the CRL generator. An
entry is
added to cn=masters that designates it.

When a replica is installed it queries this entry so it knows where
to forward
CRL requests. CRL files are not available on cloned CAs (so
/ipa/crl will
return not found). It is possible to get a CRL directly from the
clone CA via


I tested new IPA server + replica with your patch and the CRL was
now generated
only on the CRL master. I also tried OCSP (though this may not be
relevant) and
it worked for me too.

1) I do not understand the following block in set_crl_master(self,

+        try:
+            self.admin_conn.addEntry(entry)
+        except ldap.ALREADY_EXISTS, e:
+            root_logger.debug("failed to set CA as CRL generator")
+            raise e

- when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL
is set,
- AFAIK, addEntry should  return our errors, i.e. errors.DuplicateEntry
- s/raise e/raise/

I think you may have wanted to rather catch for more general LDAP
error and
then report a real error and not just a debug note.

2) In get_crl_master:

+        except Exception, e:
+            root_logger.debug("Could not connect to the Directory
Server on
%s: %s" % (master_host, str(e)))
+            raise e

s/raise e/raise/

+        except errors.NotFound, e:
+            root_logger.debug("failed to find CA CRL generator")
+            self.crl_master = None

- e is actually not used, "except errors.NotFound" would be enough

3) Majorish issue I hit with the actual CRL publishing on our server
(F17). I
always get 403 Forbidden error when trying to download CRL from the
CRL master:

# wget --ca-certificate /etc/ipa/ca.crt
--2012-10-05 03:32:58--
Connecting to||:443...
HTTP request sent, awaiting response... 403 Forbidden
2012-10-05 03:32:58 ERROR 403: Forbidden.

I tracked the problem down to too strict permission on /var/lib/pki-ca
directory which is being published by httpd which does not have
access to it:

# ll /var/lib/pki-ca

drwxrwx---. 11 pkiuser pkiuser 4096 Oct  5 03:00 pki-ca

When I fixed the permission:
# chmod o+x /var/lib/pki-ca/

I was able to get pass the Forbidden error and actually retrieved
the CRL.
Adding Ade on CC list to follow on this permission issue.

I was thinking about usability of this new approach, we may want to
make user
life easier in a perspective of CRL master managing. I have following
enhancements in mind:

- mark CRL master in ipa-replica-manage list, or
ipa-csreplica-manage list:

# ipa-csreplica-manage list
Directory Manager password: master [CRL] master

- when removing master with CRL by "ipa-replica-manage del" we
should warn user
and inform him what he should do next to amend the situation. I am
about 2 new commands for ipa-csreplica-manage:

* ipa-csreplica-manage crl-promote
       - promote current master as the new CRL master, enable CRL
generation in
CS.cfg, mark master as the new CRL master in cn=masters
* ipa-csreplica-manage crl-update
       - update CS.cfg of current CA replica and point* to current
CRL master

I can work on those enhancements if we agree on them.


Andrew provided some feedback out-of-band and my solution was overly
Here is a much simpler patch which does away with all the hand-waving
knowing who the CRL generator is.


This looks OK code-wise, I will wait for dogtag guys to confirm that
this is
the right approach.

Btw. I think we may want to file a RFE to implement some command to
promote a
replica to CRL master (like "ipa-csreplica-manage crl-promote" proposed
earlier). Users may want to promote a replica when the master crashes
or is to
be replaced. Some way to migrate CRL list (if not replicated already)
to the
promoted replica would also be needed.


Andrew suggested I specify that we do not monitor cloned revocations on
the server not generating CRLs, so I added that.

The last question is what we do about redirecting users on the
non-generating masters.

We can do it easily with a line like this in Apache:

RewriteRule ^/ipa/crl/MasterCRL.bin

The tricky part is writing this properly. The CA can be added
post-install so I don't think simply adding this to ipa-rewrite.conf
will work well. Is adding another template configuration file for Apache


Here is my WIP for auto-configuring redirect on clones. It works ok for me
isn't too invasive IMHO. The basic idea is to allow proxying of the getCRL
servlet and redirect to that on requests to the clone server.

Browsing won't work, but you can fetch the MasterCRL.bin with:

# wget --ca-certificate=/etc/ipa/ca.crt

diff --git a/install/conf/ipa-pki-proxy.conf
index 20c0921..8c4f3a9 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -3,7 +3,7 @@
    ProxyRequests Off

    # matches for ee port


        NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
        NSSVerifyClient none
        ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -25,3 +25,6 @@ ProxyRequests Off
        ProxyPassMatch ajp://localhost:$DOGTAG_PORT
        ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+# Only enable this on servers that are not generating a CRL
+${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin
diff --git a/ipaserver/install/
index 0ac895e..aabbba3 100644
--- a/ipaserver/install/
+++ b/ipaserver/install/
@@ -1304,7 +1304,11 @@ class CAInstance(service.Service):

        def __http_proxy(self):
            template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
-        sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
+        sub_dict = dict(
+            DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
+            CLONE='' if self.clone else '#',
+            FQDN=self.fqdn,
+        )
            template = ipautil.template_file(template_filename, sub_dict)
            with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:

The approach looks OK, just please do not forget to also add CLONE to sub_dict
in ipa-upgradeconfig, it just crashed when I was testing the change:

CRL tree already moved
     File "/usr/lib/python2.7/site-packages/ipaserver/install/",
line 614, in run_script
       return_value = main_function()

     File "/sbin/ipa-upgradeconfig", line 601, in main
       upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf",
+ "ipa-pki-proxy.conf", add=True)

     File "/sbin/ipa-upgradeconfig", line 187, in upgrade
       update_conf(sub_dict, filename, template)

     File "/sbin/ipa-upgradeconfig", line 110, in update_conf
       template = ipautil.template_file(template_filename, sub_dict)

     File "/usr/lib/python2.7/site-packages/ipapython/", line 228, in
       return template_str(, vars)

     File "/usr/lib/python2.7/site-packages/ipapython/", line 215, in
       val = string.Template(txt).substitute(vars)

     File "/usr/lib64/python2.7/", line 172, in substitute
       return self.pattern.sub(convert, self.template)

     File "/usr/lib64/python2.7/", line 162, in convert
       val = mapping[named]

The ipa-upgradeconfig command failed, exception: KeyError: 'CLONE'
Unexpected error
KeyError: 'CLONE'


Fixed and merged into a single patch.


This will crash when upgrading a replica without a CA or server with self-sign:

+    crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                                     'ca.crl.MasterCRL.enableCRLUpdates', '=')

This line can be run only when CA is actually configured.


Right you are. Fixed.


ACK. Works fine, I was able to get MasterCRL.bin on both master and replica.

Please just amend the block below a bit:

      # migrate CRL publish dir before the location in ipa.conf is updated
      ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    if ca.is_configured():
+        crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                                         'ca.crl.MasterCRL.enableCRLUpdates',
+                                         '=')
+        sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
      ca_restart = migrate_crl_publish_dir(ca)

"ca_restart = migrate_crl_publish_dir(ca)" should be closer to the comment
above, otherwise it may be confusing.


fixed and pushed to master and ipa-3-0


Freeipa-devel mailing list

Reply via email to