Thomson, Ryan wrote:
-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Thomson, Ryan
Sent: Friday, October 25, 2013 11:17 AM
To: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request


[snip]

I'm not sure what to make of this.

This is just more confirmation that the IPA framework is trying to
initialize NSS for some reason. It should never do this which is why
it is failing so spectacularly.

Can you provide nss.conf and ipa.conf from /etc/httpd/conf.d?

Who owns and what are the permissions of /etc/httpd/alias/*.db?

thanks

rob

[snip]

After further troubleshooting and trying too many crazy things, I was finally able to 
"hack" FreeIPA into renewing the certificates. Behold the terrible hack, it is 
quite awful and certainly not an actual fix.

During my troubleshooting, I kept coming back to the getpass EOFError:

[Sat Sep 28 03:48:17 2013] [error] /usr/lib64/python2.6/getpass.py:83: 
GetPassWarning: Can not control echo on the terminal.
[Sat Sep 28 03:48:17 2013] [error]   passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:17 2013] [error] Warning: Password input may be echoed.
[Sat Sep 28 03:48:17 2013] [error] Enter password for internal:
[Sat Sep 28 03:48:17 2013] [error] exception in PK11 password callback
[Sat Sep 28 03:48:17 2013] [error] Traceback (most recent call last):
[Sat Sep 28 03:48:18 2013] [error]   File 
"/usr/lib/python2.6/site-packages/ipapython/nsslib.py", line 230, in 
password_callback
[Sat Sep 28 03:48:18 2013] [error]     return getpass.getpass("Enter password for 
%s: " % slot.token_name);
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 83, in unix_getpass
[Sat Sep 28 03:48:18 2013] [error]     passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 118, in fallback_getpass
[Sat Sep 28 03:48:18 2013] [error]     return _raw_input(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 135, in _raw_input
[Sat Sep 28 03:48:18 2013] [error]     raise EOFError
[Sat Sep 28 03:48:18 2013] [error] EOFError

So eventually I found my way into /usr/lib/python2.6/site-packages/ipapython/nsslib.py and the 
getpass password_callback function. Instead of allowing the password_callback() to return 
"getpass.getpass("Enter password for %s: " % slot.token_name);", which was 
rasing the EOFError exception, I simply returned the text string from 
/etc/httpd/alias/password.conf!

 From what little I know about python and coding in general, it seems that 
getpass was trying to read the NSS DB password from somewhere but was reading 
nothing instead and thus raising EOFError.

I'm not sure what to do about a permanent fix as maintaining the NSS DB 
password in a source file does seems rather insecure. Given the above, what 
does a permanent fix actually look like? Is the getpass callback function 
broken or is my environment broken?

Right, and removing it will cause other cert requests to fail in the same way. It will also get lost upon the next update of the ipa-python package.

The root of the problem is that for some unknown reason the NSS database isn't already initialized. I've been unable to reproduce that here so don't really have any idea what the problem could be.

A slightly more secure workaround might be to set an empty password on the NSS database in /etc/httpd/alias. SELinux and FS permissions will protect the key material but a password won't be required any more. This would mean some other configuration changes, and I don't know that we've tested this specifically, but it would probably work. Certainly the sort of thing where you back up a lot of things first.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to