On 03/18/2013 12:58 PM, Petr Viktorin wrote:
While the work is not complete, these patches allowed me to install an
IPA server without a CA, using PKCS#12 files for the server certs.

The patches don't break normal installation.
The --selfsign option (but not yet the code behind it) is removed.

The absence of a CA is indicated by `enable_ra=False` in the IPA config.

ipa-replica-install will still refuse to run; I'll look into that next.

I removed some unused code that got in my way: Dogtag 9 installation (we
can run a Dogtag 9-style CA, but we never *install* it), and
ipapython.certdb.CertDB (unused, not to be confused with ipaserver's


This improves a developer testing tool. Details inside.

Submitting separately so any problems don't hold back the big batch of CA-less patches.

From 75b1c9e84fdf119a9ef07f851b76f0208185d51a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 2 Apr 2013 12:30:50 +0200
Subject: [PATCH] make-testcert: Add better messages for errors with CA-less

This adds better diagnostics/instructions for two cases of user error:

* The enable_ra setting in ~/.ipa/default.conf doesn't what is on the server.
  If server is CA-less but enable_ra=True, cert-request won't be available;
    print out instructions to correct this
  If server has a CA but enable_ra=False, make-testcert behaves as CA-less, see below

* In CA-less mode, the cert doesn't already exist.
  Remind that enable_ra must be set properly (for the above case)
  Instruct user to issue a cert and put it in place
 make-testcert | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/make-testcert b/make-testcert
index a5814e1de9428e74a6343f5f13193748e3e04df6..e61089b3176d52e4888c48fb19d75fda8ea804af 100755
--- a/make-testcert
+++ b/make-testcert
@@ -84,6 +84,12 @@ def makecert(reqdir):
+    if not api.env.enable_ra:
+        print "IPA CA is not installed, no cert found"
+        print "Ensure enable_ra in ~/.ipa/default.conf matches the server."
+        print "Issue a test cert manually and put it in %s" % CERTPATH
+        return 1
     ra = rabase.rabase()
     if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:8888/ipa/xml':
         sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py')
@@ -116,7 +122,8 @@ def makecert(reqdir):
     except errors.NotFound:
         return "certificate request failed"
     except errors.CommandError:
-        return "You need to set enable_ra=True in ~/.ipa/default.conf"
+        return ('cert_request command not found. If the IPA CA is not '
+            'installed, set enable_ra=False in ~/.ipa/default.conf')
     c = x509.load_certificate(cert, x509.PEM)

Freeipa-devel mailing list

Reply via email to