On 11/01/18 14:26, Rob Crittenden via FreeIPA-users wrote:
Ludwig Krispenz via FreeIPA-users wrote:
On 01/11/2018 02:36 PM, Rob Crittenden via FreeIPA-users wrote:
lejeczek via FreeIPA-users wrote:
hi everyone

when I see this in replica install log:

..
2018-01-11T12:46:31Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -L -n
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -a -f
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
2018-01-11T12:46:31Z DEBUG Process finished, return code=255
2018-01-11T12:46:31Z DEBUG stdout=
2018-01-11T12:46:31Z DEBUG stderr=certutil: Could not find cert:
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
..

Is that just the log or actual surrounding quotes are missing in
replica-install code?
For, when I manually in bash exec this on replica candidate:

$ certutil -d /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -L -n
"PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA" -a -f
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIBATANBgkqhkiG9w0BAQsFADBNMSswKQYDVQQKDCJQUklW
QVRFLkNDTlIuQ0VCLlBSSVZBVEUuQ0FNLkFDLlVLMR4wHAYDVQQDDBVDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkwHhcNMTgwMTExMTIxMjIxWhcNMzgwMTExMTIxMjIxWjBN
...
Arguments passed into exec don't need to be shell-escaped or quoted.
but "PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA" contains spaces, if you don't
quiote it how would certutil handle it ?
Because we are calling it using python subprocess and not forking out
into a shell to execute it. Each argument is independent and doesn't
need to be scanned by the shell to see where each arg begins and ends.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Looks to me Rob is correct, it's the first check for a cert and it fails, I see subsequent certutil invocations are logged the same way but they succeed for - next one a cert addition, etc. Thus that firs failure I saw is because certutil did not find a cert. Although it catches you for you see such an error do copy&paste in bash session and get exactly the same error is in the log file and..
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to