On 09/24/2014 06:13 PM, Jan Cholasta wrote:
Hi,

the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
and <https://fedorahosted.org/freeipa/ticket/4489>.

(Note that design page for this is TBD.)

Honza


336:

Instead of
    len(data[:match.start() + 1].splitlines())
you can do
    data.count('\n', 0, match.start()) + 1

337:
The --external_cert_file and --external_ca_file options for ipa-ca-install are removed, do we really want to do that? Shouldn't they be deprecated instead?

Same for --external-ca-file in ipa-cacert-manage.

338: Looks OK
339: Looks OK

Could you add some docstrings to the functions you add? Sometimes it's harder than necessary to decipher what they do and what the arguments/return values mean exactly.

There is no user-visible documentation on what file types are expected/supported. It would be good to add this to the man pages, or the --help.



In external CA, the error message when specifying a certificate but not the CA could be improved:
$ ipa-server-install --external_cert_file ~/p/Certificate_Authority_8.cer
...
CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in /home/pviktori/p/Certificate_Authority_8.cer is not valid: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.



For CA-less, I used a combination of files with which server installation went well, but replica-install failed halfway through:

Console:
...
  [16/36]: creating indices
  [17/36]: enabling referential integrity plugin
  [18/36]: configuring ssl for ds instance
[error] RuntimeError: incorrect password for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12

Log tail:

2014-09-26T15:05:43Z DEBUG Starting external process
2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d' '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i' '/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k' '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w' '/dev/stdin'
2014-09-26T15:05:43Z DEBUG Process finished, return code=17
2014-09-26T15:05:43Z DEBUG stdout=
2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.

2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 370, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 360, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 600, in __enable_ssl
    trust_flags=trust_flags)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 1030, in create_from_pkcs12
    self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 971, in import_pkcs12
    pkcs12_passwd=pkcs12_passwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 191, in import_pkcs12
    pkcs12_filename)
RuntimeError: incorrect password for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12

2014-09-26T15:05:43Z DEBUG [error] RuntimeError: incorrect password for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12 2014-09-26T15:05:43Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 644, in run_script
    return_value = main_function()

  File "/sbin/ipa-replica-install", line 677, in main
    ds = install_replica_ds(config)

  File "/sbin/ipa-replica-install", line 190, in install_replica_ds
    ca_file=config.dir + "/ca.crt",

File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 354, in create_replica
    self.start_creation(runtime=60)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 370, in start_creation
    run_step(full_msg, method)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 360, in run_step
    method()

File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 600, in __enable_ssl
    trust_flags=trust_flags)

File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 1030, in create_from_pkcs12
    self.import_pkcs12(pkcs12_fname, pkcs12_passwd)

File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 971, in import_pkcs12
    pkcs12_passwd=pkcs12_passwd)

File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 191, in import_pkcs12
    pkcs12_filename)

2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: incorrect password for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12


I'll attach the files for reference; the options for ipa-server-install and ipa-replica-prepare were:

--http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12 --http-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin 12345678 --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12 --dirsrv-pin 12345678



--
PetrĀ³

Attachment: STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem
Description: application/x509-ca-cert

Attachment: STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
Description: application/x509-ca-cert

Attachment: STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
Description: application/pkcs12

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to