Dne 10.12.2014 v 11:53 Martin Kosek napsal(a):
On 12/09/2014 01:56 PM, Jan Cholasta wrote:
Dne 5.12.2014 v 12:01 Jan Cholasta napsal(a):
Dne 5.12.2014 v 11:43 Martin Kosek napsal(a):
On 12/05/2014 11:34 AM, Jan Cholasta wrote:
Dne 5.12.2014 v 09:03 Martin Kosek napsal(a):
On 12/04/2014 09:36 AM, Jan Cholasta wrote:
+ if x509.get_der_subject(cert, x509.DER) != der_subject:
+ raise admintool.ScriptError("Subject name encoding
mismatch")
I think we can expect this to be a pretty common error, given this is
the default behavior of Microsoft Certificate Services. I would thus
like to make the error message more juicy.
We need to make sure we offer some pointers for these users or they
will
just blame IPA for screwing up. So, the information I wrote
https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11
need to somehow get to the error message as a potential/likely root
cause of the problem. Whether you write it in the error message itself
or update the design page and just insert a link is up to you.
Martin
I would rather document this and have users read the documentation,
which they
should do anyway when something goes wrong. There are many errors in
IPA which
are common and users may blame IPA for them and I don't see what makes
this one
so special that it should require a special treatment.
I saw several reasons:
- Certificate&installation error are more common than the others and
users are usually quite lost in what to do with them.
- In this case, we know by 90% probability what is the root cause
- It will block one of the main use cases for the new CA renewal tool
and people will likely hit it as MS CAs is one of the most common CAs
and this is it's default behavior.
Giving more details in this case will not hurt us, but benefit users. So
I still do not see the harm.
I do not see a harm either, my point is that we should probably point
the user to documentation when *anything* in *any* script goes wrong,
not just when some arbitrarily cherry-picked error occurs.
Anyway, I have created
<http://www.freeipa.org/page/Troubleshooting#External_CA_renewal_with_ipa-cacert-manage_fails>.
Good. Do you plan to reference the section or enhance the error message?
I plan to reference <http://www.freeipa.org/page/Troubleshooting>.
See the attached patch (385).
I think the reference for the Troubleshooting page should be more narrow so
that people only see the URL only for the cases we give specific advise for.
Otherwise I assume they will just ignore the page if they do not find the
advise for other errors.
Right, makes sense.
Other idea would be to give reference to the article when the actual CSR is
generated - as a heads up.
I think referring to troubleshooting before there actually is some
trouble is not very good for publicity.
Anyway, updated patch attached, it implements what you suggested
originally - link to the troubleshooting guide is added to relevant
error messages. Let's think about this in more broad terms when the time
comes for the installer refactoring.
Martin
--
Jan Cholasta
>From 1040cdc14f7fcadea99a4d0808028ea284594eb0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 9 Dec 2014 12:47:58 +0000
Subject: [PATCH] Refer the user to freeipa.org when something goes wrong in
ipa-cacert-manage
https://fedorahosted.org/freeipa/ticket/4781
---
ipaserver/install/ipa_cacert_manage.py | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 8fda6a2..e074601 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -221,12 +221,21 @@ class CACertManage(admintool.AdminTool):
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
- raise admintool.ScriptError("Subject name mismatch")
+ raise admintool.ScriptError(
+ "Subject name mismatch (visit "
+ "http://www.freeipa.org/page/Troubleshooting for "
+ "troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
- raise admintool.ScriptError("Subject name encoding mismatch")
+ raise admintool.ScriptError(
+ "Subject name encoding mismatch (visit "
+ "http://www.freeipa.org/page/Troubleshooting for "
+ "troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
- raise admintool.ScriptError("Subject public key info mismatch")
+ raise admintool.ScriptError(
+ "Subject public key info mismatch (visit "
+ "http://www.freeipa.org/page/Troubleshooting for "
+ "troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
@@ -253,7 +262,9 @@ class CACertManage(admintool.AdminTool):
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
- "Not a valid CA certificate: %s" % e)
+ "Not a valid CA certificate: %s (visit "
+ "http://www.freeipa.org/page/Troubleshooting for "
+ "troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
@@ -340,7 +351,9 @@ class CACertManage(admintool.AdminTool):
tmpdb.verify_ca_cert_validity(nickname)
except ValueError, e:
raise admintool.ScriptError(
- "Not a valid CA certificate: %s" % e)
+ "Not a valid CA certificate: %s (visit "
+ "http://www.freeipa.org/page/Troubleshooting for "
+ "troubleshooting guide)" % e)
trust_flags = options.trust_flags
if ((set(trust_flags) - set(',CPTcgpuw')) or
--
2.1.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
