On 24.4.2014 23:16, Rob Crittenden wrote:
Jan Cholasta wrote:
On 10.4.2014 22:06, Rob Crittenden wrote:
Some in-line, a whole ton of data appended to end.

Jan Cholasta wrote:
On 7.4.2014 20:09, Rob Crittenden wrote:
Rob Crittenden wrote:


We've been burned by hardcoded timeouts in the past. Should this be
configurable? This module doesn't currently do any logging but it
be worth spitting out a "waiting" message, at least for debugging.

Added a timeout argument.

Did you forget to send this one, I didn't see an update to 247.

Are you sure you have 247.1 (now 247.2)?

I can see at
that I have sent the correct version of the patches.

The call has a timeout, the callers don't use it. I guess it'll do for
now, but these almost always come back to bite us.

Well, I can add --certmonger-timeout option to ipa-cacert-manage, if that's what you want.


The tool should provide some feedback while it's running. For the
impatient (me) it takes a really long time and it's hard to know
what is
going on, something in between nothing and full debug output.

Added some messages about what's going on.

I dpn't see an update to 251 either.

Please make sure you have 251.1 (now 251.2).

There is a little bit more output but there are still very long periods
of waiting between any visual activity, particularly when doing it on an
IPA self-signed CA.

This stuff takes time :-) What would you like to see in the output, that's not already there?

I think the ipa-cacert-manage man page is missing one really important
piece: why would you ever need to run this? And when?

Added a paragraph about this.

It's better, couple of comments:

Add "the" in between renew and CA in "used to manually renew CA
certificate of" and "When IPA CA...".


I haven't had any luck renewing
the CA certificate yet. I see that it is tracked now. I started moving
the system clock forward in order to get to renewal and about the 3rd
iteration the requests started failing with an XML error. Did you see this?

[Thu Apr 21 11:08:49.929486 2016] [:error] [pid 11692] Traceback (most
recent call last):
[Thu Apr 21 11:08:49.929489 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 344, in
[Thu Apr 21 11:08:49.929493 2016] [:error] [pid 11692]     result =
self.Command[name](*args, **options)
[Thu Apr 21 11:08:49.929496 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
[Thu Apr 21 11:08:49.929499 2016] [:error] [pid 11692]     ret =
self.run(*args, **options)
[Thu Apr 21 11:08:49.929503 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
[Thu Apr 21 11:08:49.929506 2016] [:error] [pid 11692]     result =
self.execute(*args, **options)
[Thu Apr 21 11:08:49.929509 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 382, in
[Thu Apr 21 11:08:49.929512 2016] [:error] [pid 11692]     result =
[Thu Apr 21 11:08:49.929516 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in
[Thu Apr 21 11:08:49.929519 2016] [:error] [pid 11692]     ret =
self.run(*args, **options)
[Thu Apr 21 11:08:49.930559 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
[Thu Apr 21 11:08:49.930567 2016] [:error] [pid 11692]     result =
self.execute(*args, **options)
[Thu Apr 21 11:08:49.930570 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 514, in
[Thu Apr 21 11:08:49.930573 2016] [:error] [pid 11692]
[Thu Apr 21 11:08:49.930577 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
1502, in get_certificate
[Thu Apr 21 11:08:49.930580 2016] [:error] [pid 11692]     parse_result
= self.get_parse_result_xml(http_body, parse_display_cert_xml)
[Thu Apr 21 11:08:49.930591 2016] [:error] [pid 11692]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line
1363, in get_parse_result_xml
[Thu Apr 21 11:08:49.930594 2016] [:error] [pid 11692]     doc =
etree.fromstring(xml_text, parser)
[Thu Apr 21 11:08:49.930598 2016] [:error] [pid 11692]   File
"lxml.etree.pyx", line 3032, in lxml.etree.fromstring
[Thu Apr 21 11:08:49.930601 2016] [:error] [pid 11692]   File
"parser.pxi", line 1785, in lxml.etree._parseMemoryDocument
[Thu Apr 21 11:08:49.930604 2016] [:error] [pid 11692]   File
"parser.pxi", line 1673, in lxml.etree._parseDoc
[Thu Apr 21 11:08:49.930607 2016] [:error] [pid 11692]   File
"parser.pxi", line 1074, in lxml.etree._BaseParser._parseDoc
[Thu Apr 21 11:08:49.930611 2016] [:error] [pid 11692]   File
"parser.pxi", line 582, in
[Thu Apr 21 11:08:49.930614 2016] [:error] [pid 11692]   File
"parser.pxi", line 683, in lxml.etree._handleParseResult
[Thu Apr 21 11:08:49.930617 2016] [:error] [pid 11692]   File
"parser.pxi", line 633, in lxml.etree._raiseParseError
[Thu Apr 21 11:08:49.930621 2016] [:error] [pid 11692] XMLSyntaxError: None
[Thu Apr 21 11:08:49.930829 2016] [:error] [pid 11692] ipa: INFO:
[xmlserver] host/lyra.greyoak....@greyoak.com:

principal=u'HTTP/lyra.greyoak....@greyoak.com', add=True,
version=u'2.51'): XMLSyntaxError

I have never seen this. The error message does not say much... Is there anything interesting in other logs?

I noticed that in the external CA case we still have certmonger tracking
the CA. What will it do at expiration?

It syslogs the message in patch 252, for the lack of better notification mechanism.

/etc/ipa/ca.crt isn't being updated on renewal.

That will be dealt with in the next batch of patches.


Jan Cholasta

Freeipa-devel mailing list

Reply via email to