Jan Cholasta wrote: > On 12.6.2014 09:49, Jan Cholasta wrote: >> On 20.5.2014 21:38, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 25.4.2014 10:51, Jan Cholasta wrote: >>>>> On 24.4.2014 23:16, Rob Crittenden wrote: >>>>>> Jan Cholasta wrote: >>>>>>> On 10.4.2014 22:06, Rob Crittenden wrote: >>>>>>>> Some in-line, a whole ton of data appended to end. >>>>>>>> >>>>>>>> Jan Cholasta wrote: >>>>>>>>> On 7.4.2014 20:09, Rob Crittenden wrote: >>>>>>>>>> Rob Crittenden wrote: >>>>>>>>>>> >>>>>>>>>>> 247 >>>>>>>>>>> >>>>>>>>>>> We've been burned by hardcoded timeouts in the past. Should >>>>>>>>>>> this be >>>>>>>>>>> configurable? This module doesn't currently do any logging >>>>>>>>>>> but it >>>>>>>>>>> might >>>>>>>>>>> be worth spitting out a "waiting" message, at least for >>>>>>>>>>> debugging. >>>>>>>>> >>>>>>>>> Added a timeout argument. >>>>>>>> >>>>>>>> Did you forget to send this one, I didn't see an update to 247. >>>>>>> >>>>>>> Are you sure you have 247.1 (now 247.2)? >>>>>>> >>>>>>> I can see at >>>>>>> <http://www.redhat.com/archives/freeipa-devel/2014-April/msg00225.html> >>>>>>> >>>>>>> >>>>>>> that I have sent the correct version of the patches. >>>>>> >>>>>> The call has a timeout, the callers don't use it. I guess it'll do >>>>>> for >>>>>> now, but these almost always come back to bite us. >>>>> >>>>> Well, I can add --certmonger-timeout option to ipa-cacert-manage, if >>>>> that's what you want. >>>>> >>>>>> >>>>>>> >>>>>>>>>>> >>>>>>>>>>> 251 >>>>>>>>>>> >>>>>>>>>>> The tool should provide some feedback while it's running. For >>>>>>>>>>> the >>>>>>>>>>> impatient (me) it takes a really long time and it's hard to know >>>>>>>>>>> what is >>>>>>>>>>> going on, something in between nothing and full debug output. >>>>>>>>> >>>>>>>>> Added some messages about what's going on. >>>>>>>> >>>>>>>> I dpn't see an update to 251 either. >>>>>>> >>>>>>> Please make sure you have 251.1 (now 251.2). >>>>>> >>>>>> There is a little bit more output but there are still very long >>>>>> periods >>>>>> of waiting between any visual activity, particularly when doing it >>>>>> on an >>>>>> IPA self-signed CA. >>>>> >>>>> This stuff takes time :-) What would you like to see in the output, >>>>> that's not already there? >>>>> >>>>>>>> >>>>>>>> I think the ipa-cacert-manage man page is missing one really >>>>>>>> important >>>>>>>> piece: why would you ever need to run this? And when? >>>>>>> >>>>>>> Added a paragraph about this. >>>>>> >>>>>> It's better, couple of comments: >>>>>> >>>>>> Add "the" in between renew and CA in "used to manually renew CA >>>>>> certificate of" and "When IPA CA...". >>>>> >>>>> OK. >>>>> >>>>>> I haven't had any luck renewing >>>>>> the CA certificate yet. I see that it is tracked now. I started >>>>>> moving >>>>>> the system clock forward in order to get to renewal and about the 3rd >>>>>> iteration the requests started failing with an XML error. Did you see >>>>>> this? >>>>>> >>>>>> [Thu Apr 21 11:08:49.929486 2016] [:error] [pid 11692] Traceback >>>>>> (most >>>>>> recent call last): >>>>>> [Thu Apr 21 11:08:49.929489 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>>>> 344, in >>>>>> wsgi_execute >>>>>> [Thu Apr 21 11:08:49.929493 2016] [:error] [pid 11692] result = >>>>>> self.Command[name](*args, **options) >>>>>> [Thu Apr 21 11:08:49.929496 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in >>>>>> __call__ >>>>>> [Thu Apr 21 11:08:49.929499 2016] [:error] [pid 11692] ret = >>>>>> self.run(*args, **options) >>>>>> [Thu Apr 21 11:08:49.929503 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in >>>>>> run >>>>>> [Thu Apr 21 11:08:49.929506 2016] [:error] [pid 11692] result = >>>>>> self.execute(*args, **options) >>>>>> [Thu Apr 21 11:08:49.929509 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line >>>>>> 382, in >>>>>> execute >>>>>> [Thu Apr 21 11:08:49.929512 2016] [:error] [pid 11692] result = >>>>>> api.Command['cert_show'](unicode(serial))['result'] >>>>>> [Thu Apr 21 11:08:49.929516 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in >>>>>> __call__ >>>>>> [Thu Apr 21 11:08:49.929519 2016] [:error] [pid 11692] ret = >>>>>> self.run(*args, **options) >>>>>> [Thu Apr 21 11:08:49.930559 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in >>>>>> run >>>>>> [Thu Apr 21 11:08:49.930567 2016] [:error] [pid 11692] result = >>>>>> self.execute(*args, **options) >>>>>> [Thu Apr 21 11:08:49.930570 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line >>>>>> 514, in >>>>>> execute >>>>>> [Thu Apr 21 11:08:49.930573 2016] [:error] [pid 11692] >>>>>> result=self.Backend.ra.get_certificate(serial_number) >>>>>> [Thu Apr 21 11:08:49.930577 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >>>>>> 1502, in get_certificate >>>>>> [Thu Apr 21 11:08:49.930580 2016] [:error] [pid 11692] >>>>>> parse_result >>>>>> = self.get_parse_result_xml(http_body, parse_display_cert_xml) >>>>>> [Thu Apr 21 11:08:49.930591 2016] [:error] [pid 11692] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >>>>>> 1363, in get_parse_result_xml >>>>>> [Thu Apr 21 11:08:49.930594 2016] [:error] [pid 11692] doc = >>>>>> etree.fromstring(xml_text, parser) >>>>>> [Thu Apr 21 11:08:49.930598 2016] [:error] [pid 11692] File >>>>>> "lxml.etree.pyx", line 3032, in lxml.etree.fromstring >>>>>> (src/lxml/lxml.etree.c:68129) >>>>>> [Thu Apr 21 11:08:49.930601 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 1785, in lxml.etree._parseMemoryDocument >>>>>> (src/lxml/lxml.etree.c:102493) >>>>>> [Thu Apr 21 11:08:49.930604 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 1673, in lxml.etree._parseDoc >>>>>> (src/lxml/lxml.etree.c:101322) >>>>>> [Thu Apr 21 11:08:49.930607 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 1074, in lxml.etree._BaseParser._parseDoc >>>>>> (src/lxml/lxml.etree.c:96504) >>>>>> [Thu Apr 21 11:08:49.930611 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 582, in >>>>>> lxml.etree._ParserContext._handleParseResultDoc >>>>>> (src/lxml/lxml.etree.c:91308) >>>>>> [Thu Apr 21 11:08:49.930614 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 683, in lxml.etree._handleParseResult >>>>>> (src/lxml/lxml.etree.c:92494) >>>>>> [Thu Apr 21 11:08:49.930617 2016] [:error] [pid 11692] File >>>>>> "parser.pxi", line 633, in lxml.etree._raiseParseError >>>>>> (src/lxml/lxml.etree.c:91957) >>>>>> [Thu Apr 21 11:08:49.930621 2016] [:error] [pid 11692] >>>>>> XMLSyntaxError: >>>>>> None >>>>>> [Thu Apr 21 11:08:49.930829 2016] [:error] [pid 11692] ipa: INFO: >>>>>> [xmlserver] host/lyra.greyoak....@greyoak.com: >>>>>> cert_request(u'MIIDmTCCAoECAQAwMTEUMBIGA1UECgwLR1JFWU9BSy5DT00xGTAXBgNVBAMMEGx5cmEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVw34/WP/pKg+kxmM7aDcjYsEFA9By4SyV1n4FeeDpr2gBulyjKNGTaxuoEssqYy33qVU7vxQ8WS9LtYt1eyAZrKLCVso1njtMZZ2mpymltRgRT+QFzMjwrcoqqGM9XWjVAMur/FJggVPxcpNXy2EUAiVcMEO4zCgxjkWjaXSs5jigvFO5wzolnQRYPECPhYuYwKpVRPwCsqpeiymfpiVuHt+oTHA9lNIGRWWxA+72NLFhrLBKaVaFDl4NCT6jJ71xZDXLQWQw1kAWvYKV22jCfDS/Yxdtyt3O0kUs8dHYClTgW4QN3bBQsgUaspHuWGdF6rwqmIihPUjq07fB6r8jAgMBAAGgggEhMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIH3BgkqhkiG9w0BCQ4xgekwgeYwDgYDVR0PAQEABAQDAgTwMIGBBgNVHREBAQAEdzB1oDEGCisGAQQBgjcUAgOgIwwhSFRUUC9seXJhLmdyZXlvYWsuY29tQEdSRVlPQUsuQ09NoEAGBisGAQUCAqA2MDSgDRsLR1JFWU9BSy5DT02hIzAhoAMCAQGhGjAYGwRIVFRQGxBseXJhLmdyZXlvYWsuY29tMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQ2k1wey/NlwORBA7I+O26IX0WyGTANBgkqhkiG9w0BAQsFAAOCAQEABUStRJyl5DBTpEOdKOXCnhSdRuElwv64XLIX47B1DVsiI9tL806nsLH16XSFIZqo1HWXxDU90/W! m! >>>>>> > 8! >>>>>> >> V! >>> P! >>>>>> >>>> Z! >>>>>> >>>>> gm! >>>>>> >>>>>> 3VCtgMvPVk >>>>>> 3k4qYBz6/2B8PEeQY2/W5CULkfjqJhDxr0qodiYAc8GOyHMDpymfC3+QUIXkmoy94USRS2x8CMvzq8h1tpBPcXAei6waohTJtO33o79iVNbeLIif3RD22dghPx3JvEB4FXWQv6IylXGyJb6NRRneI4R8Ko0xCA9xiyPegfDgiQEUUSCtJ/Qr9/OpytFgrpJHSTd8n9DzLbRO5FQW4yS45A8xp5WkJCU5IslIon6luf9v5eNCVsIp7EPgaQ==', >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> principal=u'HTTP/lyra.greyoak....@greyoak.com', add=True, >>>>>> version=u'2.51'): XMLSyntaxError >>>>> >>>>> I have never seen this. The error message does not say much... Is >>>>> there >>>>> anything interesting in other logs? >>>> >>>> I was able to get the CA certificate to be renewed after moving system >>>> time forward step by step. >>>> >>>> One thing I haven't noticed before is that the renewed certificate's >>>> validity never exceeds that of the original certificate. This is most >>>> likely Dogtag issue (something along the lines of "certificate validity >>>> cannot exceed validity of the CA certificate", except it shouldn't >>>> apply >>>> to the CA certificate itself). >>>> >>>> There were other issues here and there, all of them were caused by race >>>> conditions between concurrent renewals (unreachable CA, XML syntax >>>> errors, etc. because Dogtag was stopped by stop_pkicad in another >>>> request, CMS internal error because it used old subsystem cert to >>>> authenticate to LDAP while the cert was being renewed, etc.) and all of >>>> them could be fixed by restarting relevant IPA services and >>>> resubmitting >>>> the requests manually. Some synchronization is really missing there. >>> >>> I hadn't noticed that, but my CA was issued externally so I expected >>> this. I also saw the bumps during renewal but things always tended to >>> smooth out, with the errors generally restricted to restarts and >>> certmonger. This backtrace was the only thing that really stood out. >>> IIRC at this point things were pretty much blocked. >>> >>> In any case, these patches basically seem to work. I never did work out >>> whether the above error was due to dogtag, IPA or something else. >>> >>> rob >> >> Rebased the patches on top of current master. >> >> Give up retrieving certificate from LDAP in patch 265 after a few >> unsuccessful attempts. This is to prevent certmonger requests from >> staying in CA_WORKING state forever when you manually resubmit a request. >> >> Added patch 266 which adds ACIs missing after the permission refactoring. > > Rebased again. > > Converted all permissions to managed permissions. > > Added dependency on certmonger >= 0.74 in patch 251, because CSR export > is broken with older versions. There is an update to certmonger 0.75.5 > for F20: > <https://admin.fedoraproject.org/updates/FEDORA-2014-7529/certmonger-0.75.5-1.fc20>. > (It segfaults for me during server install, I and Nalin are investigating.) >
I need a full set of patches, 241-299 from the same tree. Trying to piece together more than 50 patches from three long threads is proving impossible. Provided some feedback on 295-299 in that thread but I can't get much applied so I can do any functional testing. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel