On 12/05/2014 11:34 AM, Jan Cholasta wrote:
Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
On 12/04/2014 09:36 AM, Jan Cholasta wrote:
+ if x509.get_der_subject(cert, x509.DER) != der_subject:
+ raise admintool.ScriptError("Subject name encoding
mismatch")
I think we can expect this to be a pretty common error, given this is
the default behavior of Microsoft Certificate Services. I would thus
like to make the error message more juicy.
We need to make sure we offer some pointers for these users or they will
just blame IPA for screwing up. So, the information I wrote
https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
need to somehow get to the error message as a potential/likely root
cause of the problem. Whether you write it in the error message itself
or update the design page and just insert a link is up to you.
Martin
I would rather document this and have users read the documentation, which they
should do anyway when something goes wrong. There are many errors in IPA which
are common and users may blame IPA for them and I don't see what makes this one
so special that it should require a special treatment.
I saw several reasons:
- Certificate&installation error are more common than the others and users are
usually quite lost in what to do with them.
- In this case, we know by 90% probability what is the root cause
- It will block one of the main use cases for the new CA renewal tool and
people will likely hit it as MS CAs is one of the most common CAs and this is
it's default behavior.
Giving more details in this case will not hurt us, but benefit users. So I
still do not see the harm.
Anyway, I have created
<http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
Good. Do you plan to reference the section or enhance the error message?
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
