[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file martbab commented: """ @jcholast @frasertweedale I hope you did notice those failures in Travis CI before acking/pushing... """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266415516 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266414213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast right you are. PR updated with conditional import. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266400860 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, I'm afraid we can't do that. As I said in the comment, you cannot unconditionally import from `ipaplatform` to `ipalib` anymore, so you either have to make the change to PyASN1, or make the import conditional: ```python try: from ipaplatform.paths import paths except ImportError: OPENSSL = '/usr/bin/openssl' else: OPENSSL = paths.OPENSSL ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266359452 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ On Sun, Dec 11, 2016 at 10:36:27PM -0800, Jan Cholasta wrote: > @frasertweedale, thanks. What about > [this](https://github.com/freeipa/freeipa/pull/177/files#r91243228)? > It is a worthwhile change (thank you for reminding me). Let's address any remaining issues for this feature and get it merged. The proposed PKCS #7 refactoring can be tacked separately. I filed a ticket https://fedorahosted.org/freeipa/ticket/6550 Thanks. > -- > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub: > https://github.com/freeipa/freeipa/pull/177#issuecomment-266353770 """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266358091 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, thanks. What about [this](https://github.com/freeipa/freeipa/pull/177/files#r91243228)? """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266353770 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast updated PR to include `certificate` and `certificate_chain` in `ca_find` output when `--all` is specified. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265684968 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, yep, I'm aware of that - `cert-find` does the same. Not a big deal IMO since it has to be explicitly requested by the user. But tickets are certainly a good idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265420461 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast returning cert and chain in `ca_find` when `--all` is given will incur `n * 2` additional round-trips to Dogtag where `n` = number of IPA-managed CAs. I am hesitant to do it unless/until Dogtag provides a better way. Let's open tickets. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast returning cert and chain in `ca_find` when `--all` is given will incur `n * 2` additional round-trips to Dogtag. I am hesitant to do it unless/until Dogtag provides a better way. Let's open tickets. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ But could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast OK there we go. I'd forgotten to remove the `include='cli'` when converting to server-side option. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263809966 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Never mind... my `--chain` option disappeared... not quite there yet >_< """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263806421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast thanks for review. PR updated. No longer inheriting `BaseCertObject`. `--chain` now defined server-side and no longer implies `--all`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263805812 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ To continue the discussion from the mailing list: >> My point exactly - ca-show output should be equivalent to cert-show on the >> CA certificate, as far as the certificate and chain are concerned. >> > I reused `BaseCertObject.takes_params' and `BaseCertObject._parse' > to define the params and do most of the work. There is some overlap > with what `BaseCertObject' defines and fields of the `ca' LDAP > attribute so these are ignored/removed. What I actually meant is that `cert-show` should also have a `chain` option and `certificate_chain` param in the future, which should work the same as in `ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out of the scope of ticket 6178. >> I think I would prefer if the certificate was always returned by the server, >> but the chain only if --chain (or --all) is specified. >> >> Additionally, ca-add should also get the new options and do all of this. >> > I've implemented this. `--chain' implies `--all' but otherwise > remains a client-side only param. This does not scale well - if a new unrelated attribute is added to the CA LDAP entry, or if a new param is added to the CA object, `--chain` will imply retrieving them, which is not something we want. It should really be the other way around and `--all` should imply `--chain`, which also means `--chain` has to be defined on the server side. >> Generator expressions are generally preferred over map(): >> >> data = '\n'.join(to_pem(der) for der in ders) >> > Preferred by whom? ;) Pythonistas, I believe :) """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262916556 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @tomaskrizek thanks for reviewing. Updated tests and change the `--certificate-out` metavar to `FILE`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262872744 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file tomaskrizek commented: """ Please update the xmlrpc tests to reflect the extra certificate attributes (~12 failed tests in `test_xmlrpc/test_ca_plugin.py`, `test_caacl_plugin.py` and `test_caacl_profile_enforcement.py`). There are also a couple tests failing with ACIError: ACIError: Insufficient access: Principal 'srv/santest-host-1...' is not permitted to use CA 'default-profile-subca' with profile 'caIPAserviceCert' for certificate issuance. I also found the `--certificate-out` option a bit confusing. At first I thought I should provide the certificate name to be exported. Perhaps the help text could be improved to make it clear the used should provide a file name? """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262813919 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file tiran commented: """ pylint fails: ``` Pylint is running, please wait ... * Module ipalib.x509 ipalib/x509.py:161: [E0602(undefined-variable), pkcs7_to_pems] Undefined variable 'paths') make: *** [pylint] Error 2 Makefile:1040: recipe for target 'pylint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-261199258 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-259387372 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ The original review thread is available at: https://www.redhat.com/archives/freeipa-devel/2016-October/msg00578.html """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-255660397 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code