Marc Schlinger wrote:
Le 03/05/2010 17:38, Rob Crittenden a écrit :
Marc Schlinger wrote:
I tried to install freeipa with certs management. I did manage after
1°) The installation was unable to finished on a french localized
The error at stage [3/15]: configuring certificate server instance
was something like
java.utils.MissingResourceException can't find bundle for base name
LogMessages, locale fr_FR.UTF-8
full log at then end
It's a dogtag error but since I had it while installing freeipa, I
report it to you.
Finally, for the installation i used a fresh fedora 12 with
en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12,
and I activate the testing repos as advised in this thread:
[Freeipa-users] call implemented methods via xml-rpc.
Yes, I have this on my list to try to work around. I'm going to set
the en_US locale while we're installing dogtag, I just don't know what
this will do post-installation, if things will again blow up.
I opened a new bug on this against dogtag,
I tried to play a little with certificates mostly to replace puppet
certificate management by the freeipa ones
2°) I wasn't able to do a ipa cert-request
I had this error:
ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request
It seems that it was a forgetten line in ipalib/pkcs10.py
here's the patch:
--- /tmp/pkcs10.py 2010-05-03 16:02:22.929018799 +0200
+++ ipalib/pkcs10.py 2010-05-03 16:02:09.855940583 +0200
@@ -52,6 +52,7 @@
Hmm. The python-pyasn1 x509.py sample has ia5string defined as well
but it isn't in RFC 3280 as a supported type for DirectoryString. I
can go ahead and add it in. Can you send me a certificate that is not
being parsed by the current pkcs10 module?
that's all for the report, now I have a question:
Is/Will freeipa integrate smart token authenticaurbeion?
In this page : http://freeipa.org/page/Certificate_Management
You said that "There is no requirement to provision user
certificates.". Smart key authentication require user certificates.
We aren't planning on supporting client certificates for v2. We may
add support at some point but it hasn't been planned, designed, etc.
Since we use dogtag if/when we implement support for client certs then
tokens should be part of that.
I'am confused, I'm totally wrong.
This patch is absolutly useless.
the only way to make ipa cert-request going wrong is omitting -newhdr
option whith openssl then the header and footer:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
whereas with the newhdr option we have the header and footer like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
Ok, I thought I handled this, I guess not.
p.s: I really had problems without the ia5string stuff. I'm not crazy!
I don't think so, I just didn't run into it myself. It could be because
you use openssl to create the CSR and I used the NSS tools. Or it could
be because your locale is different, or the phase of the moon, who knows
:-) The pyasn1 guys have a code comment questioning why ia5string is
needed as well: # hm, this should not be here!? XXX If we're going to
get requests with ia5strings I'm ok with adding support to the parser.
The reason I asked for the cert sample was so I would be able to test
the fix end-to-end, and perhaps incorporate it into our test suite.
Freeipa-users mailing list