Petr Viktorin wrote:
> On 09/24/2014 06:13 PM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4480>
>> and <https://fedorahosted.org/freeipa/ticket/4489>.
>>
>> (Note that design page for this is TBD.)
Isn't this backwards then?
>
> 336:
>
> Instead of
> len(data[:match.start() + 1].splitlines())
> you can do
> data.count('\n', 0, match.start()) + 1
>
> 337:
> The --external_cert_file and --external_ca_file options for
> ipa-ca-install are removed, do we really want to do that? Shouldn't they
> be deprecated instead?
+1
>
> Same for --external-ca-file in ipa-cacert-manage.
+1
I can't say I'm a fan of forcing users to concatenate cert files.
>
> 338: Looks OK
> 339: Looks OK
>
> Could you add some docstrings to the functions you add? Sometimes it's
> harder than necessary to decipher what they do and what the
> arguments/return values mean exactly.
>
> There is no user-visible documentation on what file types are
> expected/supported. It would be good to add this to the man pages, or
> the --help.
I also wonder if the detection code should be changed. It basically now
tries a slew of different mechanisms one at a time rather than trying to
identify the type of file and using that one. It may not be possible in
all cases but you could at least start by looking for ^----- to know it
is a text file and go from there, otherwise step through the binary formats.
>
>
>
> In external CA, the error message when specifying a certificate but not
> the CA could be improved:
> $ ipa-server-install --external_cert_file ~/p/Certificate_Authority_8.cer
> ...
> CA certificate CN=Certificate Authority,O=IDM.LAB.ENG.BRQ.REDHAT.COM in
> /home/pviktori/p/Certificate_Authority_8.cer is not valid:
> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
>
>
>
> For CA-less, I used a combination of files with which server
> installation went well, but replica-install failed halfway through:
>
> Console:
> ...
> [16/36]: creating indices
> [17/36]: enabling referential integrity plugin
> [18/36]: configuring ssl for ds instance
> [error] RuntimeError: incorrect password for pkcs#12 file
> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>
> Log tail:
>
> 2014-09-26T15:05:43Z DEBUG Starting external process
> 2014-09-26T15:05:43Z DEBUG args='/usr/bin/pk12util' '-d'
> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/' '-i'
> '/tmp/tmp2vEWX_ipa/realm_info/dscert.p12' '-k'
> '/etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt' '-v' '-w'
> '/dev/stdin'
> 2014-09-26T15:05:43Z DEBUG Process finished, return code=17
> 2014-09-26T15:05:43Z DEBUG stdout=
> 2014-09-26T15:05:43Z DEBUG stderr=pk12util: PKCS12 decode not verified:
> SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
>
> 2014-09-26T15:05:43Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 370, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 360, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 600, in __enable_ssl
> trust_flags=trust_flags)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 1030, in create_from_pkcs12
> self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 971, in import_pkcs12
> pkcs12_passwd=pkcs12_passwd)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 191, in import_pkcs12
> pkcs12_filename)
> RuntimeError: incorrect password for pkcs#12 file
> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>
> 2014-09-26T15:05:43Z DEBUG [error] RuntimeError: incorrect password
> for pkcs#12 file /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
> 2014-09-26T15:05:43Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 644, in run_script
> return_value = main_function()
>
> File "/sbin/ipa-replica-install", line 677, in main
> ds = install_replica_ds(config)
>
> File "/sbin/ipa-replica-install", line 190, in install_replica_ds
> ca_file=config.dir + "/ca.crt",
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 354, in create_replica
> self.start_creation(runtime=60)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 370, in start_creation
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 360, in run_step
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 600, in __enable_ssl
> trust_flags=trust_flags)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 1030, in create_from_pkcs12
> self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 971, in import_pkcs12
> pkcs12_passwd=pkcs12_passwd)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 191, in import_pkcs12
> pkcs12_filename)
>
> 2014-09-26T15:05:43Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: incorrect password for pkcs#12 file
> /tmp/tmp2vEWX_ipa/realm_info/dscert.p12
>
>
> I'll attach the files for reference; the options for ipa-server-install
> and ipa-replica-prepare were:
>
> --http-cert-file=~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
> --http-cert-file
> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-allcerts-x509.pem --http-pin
> 12345678 --dirsrv-cert-file
> ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-cacerts-pkcs7.pem
> --dirsrv-cert-file ~/STAR.idm.lab.eng.brq.redhat.com_3.p12-nocacerts.p12
> --dirsrv-pin 12345678
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
