> -----Original Message-----
> From: [email protected] [mailto:freeipa-users-
> [email protected]] On Behalf Of Thomson, Ryan
> Sent: Friday, October 25, 2013 11:17 AM
> To: Rob Crittenden; [email protected]
> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request
[snip]
> > > I'm not sure what to make of this.
> >
> > This is just more confirmation that the IPA framework is trying to
> > initialize NSS for some reason. It should never do this which is why
> > it is failing so spectacularly.
> >
> > Can you provide nss.conf and ipa.conf from /etc/httpd/conf.d?
> >
> > Who owns and what are the permissions of /etc/httpd/alias/*.db?
> >
> > thanks
> >
> > rob
[snip]
After further troubleshooting and trying too many crazy things, I was finally
able to "hack" FreeIPA into renewing the certificates. Behold the terrible
hack, it is quite awful and certainly not an actual fix.
During my troubleshooting, I kept coming back to the getpass EOFError:
[Sat Sep 28 03:48:17 2013] [error] /usr/lib64/python2.6/getpass.py:83:
GetPassWarning: Can not control echo on the terminal.
[Sat Sep 28 03:48:17 2013] [error] passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:17 2013] [error] Warning: Password input may be echoed.
[Sat Sep 28 03:48:17 2013] [error] Enter password for internal:
[Sat Sep 28 03:48:17 2013] [error] exception in PK11 password callback
[Sat Sep 28 03:48:17 2013] [error] Traceback (most recent call last):
[Sat Sep 28 03:48:18 2013] [error] File
"/usr/lib/python2.6/site-packages/ipapython/nsslib.py", line 230, in
password_callback
[Sat Sep 28 03:48:18 2013] [error] return getpass.getpass("Enter password
for %s: " % slot.token_name);
[Sat Sep 28 03:48:18 2013] [error] File "/usr/lib64/python2.6/getpass.py",
line 83, in unix_getpass
[Sat Sep 28 03:48:18 2013] [error] passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error] File "/usr/lib64/python2.6/getpass.py",
line 118, in fallback_getpass
[Sat Sep 28 03:48:18 2013] [error] return _raw_input(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error] File "/usr/lib64/python2.6/getpass.py",
line 135, in _raw_input
[Sat Sep 28 03:48:18 2013] [error] raise EOFError
[Sat Sep 28 03:48:18 2013] [error] EOFError
So eventually I found my way into
/usr/lib/python2.6/site-packages/ipapython/nsslib.py and the getpass
password_callback function. Instead of allowing the password_callback() to
return "getpass.getpass("Enter password for %s: " % slot.token_name);", which
was rasing the EOFError exception, I simply returned the text string from
/etc/httpd/alias/password.conf!
>From what little I know about python and coding in general, it seems that
>getpass was trying to read the NSS DB password from somewhere but was reading
>nothing instead and thus raising EOFError.
I'm not sure what to do about a permanent fix as maintaining the NSS DB
password in a source file does seems rather insecure. Given the above, what
does a permanent fix actually look like? Is the getpass callback function
broken or is my environment broken?
--Ryan
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
