On 10.4.2013 09:46, Martin Kosek wrote:
On 04/10/2013 01:52 AM, Dmitri Pal wrote:
On 04/09/2013 12:11 PM, Simo Sorce wrote:
On Tue, 2013-04-09 at 11:18 -0400, Dmitri Pal wrote:
On 04/09/2013 10:19 AM, Simo Sorce wrote:
On Tue, 2013-04-09 at 16:02 +0200, Martin Kosek wrote:
On 04/08/2013 05:09 PM, Martin Kosek wrote:
On 04/08/2013 03:47 PM, Dmitri Pal wrote:
On 04/08/2013 08:42 AM, Martin Kosek wrote:
On 04/08/2013 10:48 AM, Jan Cholasta wrote:
On 8.4.2013 10:47, Jan Cholasta wrote:
Hi,

this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.

Honza

Re-sending with correct subject.

I tested the change both for upgrades and for fresh installs and it worked fine
both cases, even when testing with Firefox enforcing mode.

So far, as the biggest issue in current process I see NSS not being able to
fallback to other defined OCSP responder (I tested with Firefox 20). This way,
Firefox will fail validating the FreeIPA site when the first tested OCSP
responder is not available (e.g. the original IPA CA signing the http cert, or
an `ipa-ca.$domain` host that is currently not up).
Have we filed a ticket with FF?
AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for 
NSS:
https://bugzilla.mozilla.org/show_bug.cgi?id=797815

Rob seems to have more context about this bug background.

Martin

We may want to wait with pushing this patch until we get some response in the
NSS Bugzilla above. If our request is rejected, we may be forced to use just a
single CRL/OCSP (which would be probably the general one) and thus supersede
patch 123.
Well it will have to depend on when you create certs.
The first IPA server own cert should probably point at the ipa server
name. Then we should warn in bold letters that the user should create
such and such a DNS name if they did not let IPA handle DNS.

If we can handle DNS then any other use can refer to the common name
which can be an A name with multiple entries (each IPA CA server should
be listed there by default and the record should be changed at ca
replicas install/decommission time, however we should allow admins to
add/remove names as well manually in case they want to add proxies otr
conceal some of the CA servers.

We may also want to change the RA client code to use that record to
fetch certs.

Simo.

I see a lot of RFEs in this comment.
Are we going to file them?
We'll see how NSS is going to respond to the ticket, and then adjust
accordingly.

Simo.


Well... time to adjust... accordingly ;-)


Oh yes, see "adjusted" tickets
https://fedorahosted.org/freeipa/ticket/3552
and
https://fedorahosted.org/freeipa/ticket/3547
with a resolution how to handle the OCSP/CRL URIs.

This supersedes the original Jan's patch 123.
Martin


Updated patch attached.

Honza

--
Jan Cholasta
>From 0a4c0781f347f4b3f83112f3a611020bd2a97d1d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 8 Apr 2013 10:20:00 +0200
Subject: [PATCH] Use only one URL for OCSP and CRL in IPA certificate profile.

https://fedorahosted.org/freeipa/ticket/3552
---
 ipaserver/install/cainstance.py | 59 ++++++++++-------------------------------
 1 file changed, 14 insertions(+), 45 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6bf22db..3476b2c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1271,17 +1271,18 @@ class CAInstance(service.Service):
         changed = False
 
         # OCSP extension
+        ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain))
+
         ocsp_location_0 = installutils.get_directive(
             self.dogtag_constants.IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
             separator='=')
 
-        if not ocsp_location_0:
+        if ocsp_location_0 != ocsp_url:
             # Set the first OCSP URI
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
-                'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)),
-                quotes=False, separator='=')
+                ocsp_url, quotes=False, separator='=')
             changed = True
 
         ocsp_profile_count = installutils.get_directive(
@@ -1289,34 +1290,22 @@ class CAInstance(service.Service):
             'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
             separator='=')
 
-        if ocsp_profile_count == '1':
-            # add the second OCSP URI
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1',
-                'true', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1',
-                'URIName', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1',
-                'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn),
-                quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1',
-                '1.3.6.1.5.5.7.48.1', quotes=False, separator='=')
+        if ocsp_profile_count != '1':
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
-                '2', quotes=False, separator='=')
+                '1', quotes=False, separator='=')
             changed = True
 
 
         # CRL extension
-        crl_issuer_0 = installutils.get_directive(
+        crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain))
+
+        crl_point_0 = installutils.get_directive(
             self.dogtag_constants.IPA_SERVICE_PROFILE,
-            'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
+            'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
             separator='=')
 
-        if not crl_issuer_0:
+        if crl_point_0 != crl_url:
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
                 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
@@ -1325,8 +1314,7 @@ class CAInstance(service.Service):
                 'DirectoryName', quotes=False, separator='=')
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
-                'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)),
-                quotes=False, separator='=')
+                crl_url, quotes=False, separator='=')
             changed = True
 
         crl_profile_count = installutils.get_directive(
@@ -1334,29 +1322,10 @@ class CAInstance(service.Service):
             'policyset.serverCertSet.9.default.params.crlDistPointsNum',
             separator='=')
 
-        if crl_profile_count == '1':
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1',
-                'true', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1',
-                'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1',
-                'DirectoryName', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
-                'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn),
-                quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1',
-                'URIName', quotes=False, separator='=')
-            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-                'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1',
-                '', quotes=False, separator='=')
+        if crl_profile_count != '1':
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsNum',
-                '2', quotes=False, separator='=')
+                '1', quotes=False, separator='=')
             changed = True
 
         # CRL extension is not enabled by default
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to