[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 https://fedorahosted.org/freeipa/changeset/2a1494c9aef2e2b5c06e427e689787e5a2c4dc7f https://fedorahosted.org/freeipa/changeset/1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3 https://fedorahosted.org/freeipa/changeset/6b074ad833a12acbd4643795b2150fa7f019d6b2 https://fedorahosted.org/freeipa/changeset/0a54fac02cecad3b9e3bf8ad0c8a44df3b701857 https://fedorahosted.org/freeipa/changeset/afea026a5c45ce24f3bf6da499b4d334eea3ca78 https://fedorahosted.org/freeipa/changeset/2a9d1fb7d9dda0299c6f7cd75a715182d15e04df https://fedorahosted.org/freeipa/changeset/76e8d7b35d110e5cf5494898950ab3607799c031 https://fedorahosted.org/freeipa/changeset/595f9b64e31dc9e4f035119e834db7e6cb152dce https://fedorahosted.org/freeipa/changeset/51a2b1372936106ff95d5a45afc813f146653ae4 https://fedorahosted.org/freeipa/changeset/24b134c633390343ba76e4091fa612650976280a https://fedorahosted.org/freeipa/changeset/5ab85b365ae886558b1f077b0d039a0d24bebfa7 """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283291458 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ OK. Let's fix it later. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283290295 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @HonzaCholasta I saw this issue as well, once you hit it on a VM no `pkispawn` will run correctly. I am not sure if it's caused by this PR, my guess is it shouldn't be as `pkispawn` was not touched at all but I can't be sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283289757 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ `ipa-replica-install --setup-ca` still fails with the same error though. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283289474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ CA-less to CA-ful conversion still fails: ``` 2017-03-01T09:14:40Z DEBUG Starting external process 2017-03-01T09:14:40Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpgj_Ue4 2017-03-01T09:14:40Z DEBUG Process finished, return code=1 2017-03-01T09:14:40Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170301101440.log Loading deployment configuration from /tmp/tmpgj_Ue4. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: Directory '/etc/pki/pki-tomcat' already exists! 2017-03-01T09:14:40Z DEBUG stderr=pkispawn: ERROR... Directory '/etc/pki/pki-tomcat' already exists! 2017-03-01T09:14:40Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpgj_Ue4' returned non-zero exit status 1 2017-03-01T09:14:40Z CRITICAL See the installation logs and the following files/directories for more information: 2017-03-01T09:14:40Z CRITICAL /var/log/pki/pki-tomcat 2017-03-01T09:14:40Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 611, in __spawn_instance nolog_list=(self.dm_password, self.admin_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 144, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 391, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2017-03-01T09:14:40Z DEBUG [error] RuntimeError: CA configuration failed. ``` Not sure if it's caused by the PR or not, but either way it can be fixed later. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283288635 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ This should now be fixed. In my endless naivety I had thought passing no password to `export_pkcs12()` would actually mean no password will be set. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283276979 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Upgrade from 4.4.3 asks for a PKCS#12 file password and then fails: ``` Cleanup : freeipa-server-common-4.4.3-1.fc25.noarch 14/16 Cleanup : freeipa-client-common-4.4.3-1.fc25.noarch 15/16 Cleanup : freeipa-common-4.4.3-1.fc25.noarch 16/16 Enter password for PKCS12 file: Re-enter password: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Verifying : freeipa-client-4.4.90.dev201703010721+git5bb660e-0.fc25.x86_64 1/16 Verifying : freeipa-client-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch 2/16 Verifying : freeipa-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch 3/16 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283270033 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Fixed another issue with CA-less to CA-full upgrade. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283057864 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ The issues should hopefully be fixed """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283028836 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ `ipa-replica-install` with `--setup-ca` fails with: ``` 2017-02-28T07:38:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 336, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 328, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 423, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 384, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 381, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 618, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 423, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 478, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 384, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 381, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 595, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 398, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1455, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 203, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 282, in install_step_0 use_ldaps=standalone) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 289, in wrapper ra_cert_retrieval(cls, *args) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 729, in __import_ra_key custodia.import_ra_key(self.master_host) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 119, in import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 100, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status raise HTTPError(http_error_msg, response=self) 2017-02-28T07:38:41Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ CA-less to CA-full `ipa-ca-install` fails with: ``` 2017-02-28T07:24:47Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 892, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 304, in main promote(safe_options, options, filename) File "/sbin/ipa-ca-install", line 270, in promote install_master(safe_options, options) File "/sbin/ipa-ca-install", line 235, in install_master ca.install(True, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 204, in install install_step_1(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 325, in install_step_1 config_ipa=True, config_compat=True) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 410, in put_ca_cert_nss config_ipa, config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 160, in update_ca_cert subject, issuer_serial, public_key = _parse_cert(dercert) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 39, in _parse_cert raise ValueError("failed to decode certificate: %s" % e) 2017-02-28T07:24:47Z DEBUG The ipa-ca-install command failed, exception: ValueError: failed to decode certificate: Unable to load certificate ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282963327 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Upgrade from 4.3 fails with: ``` 2017-02-28T07:07:18Z DEBUG Starting external process 2017-02-28T07:07:18Z DEBUG args=/usr/bin/pk12util -d /etc/httpd/alias -o (6, '/etc/httpd/alias/tmpFNEJrK') -n ipaCert -k /etc/httpd/alias/pwdfile.txt 2017-02-28T07:07:18Z DEBUG Process execution failed 2017-02-28T07:07:18Z DEBUG Destroyed connection context.ldap2_139873144635088 2017-02-28T07:07:18Z ERROR Upgrade failed with coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 219, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_ra_cert_store.py", line 47, in execute certdb.export_pkcs12(ra_nick, p12file) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 232, in export_pkcs12 ipautil.run(args) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 442, in run preexec_fn=preexec_fn) File "/usr/lib64/python2.7/subprocess.py", line 390, in __init__ errread, errwrite) File "/usr/lib64/python2.7/subprocess.py", line 1024, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 227, in __upgrade raise RuntimeError(e) RuntimeError: coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG [error] RuntimeError: coercing to Unicode: need string or buffer, tuple found ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282960429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ NSS DB creation removed from server install, did not realize it does not matter anymore. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282703536 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ All the raised issues should've been addressed in the latest PR. Except for the NSS DB creation, please answer the question in `ipaserver/install/server/install.py` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282695105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ The issues from the previous build should be resolved now, can be reviewed, hopefully the build passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282277991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Hopefully all issues were addressed + `radb` removed. If the Travis check passes then this is ready for review again. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282074914 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Some more fixes for Travis to check. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281950085 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ First set of fixes to comments arrived, throwing it to Travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281710491 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Besides what I wrote in inline comments, we need to get rid of `/var/lib/ipa/radb` now that it's unused. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281655830 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Rebased on current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281281981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the last update I renamed the proposed config option `ca_certfile` to `cacert_store` and made a requirement for it to be absolute path. This was done with possible future changes to it (thanks @HonzaCholasta for pointing that out). If the tests pass then this should be ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-280272695 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the latest patchset, the "ipaCert" is removed from the "/etc/httpd/alias/" NSSDB and all the machinery around the certificate is moved accordingly. I am addressing support of old SSL protocol versions in https://github.com/freeipa/freeipa/pull/396, although that one currently requires some changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-276929867 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA rcritten commented: """ SSLv2 should not be supported, period. Not that it would work anyway because most SSL libs have completely removed this support, but it is just a terrible idea to even try and allow it. The rest I'm flexible on. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-272205432 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten `tls_version_min/max` could have been set to "ssl2" just as well as "ssl3" but perhaps it's for the best to remove them. I will try to do the certmonger part and will remove this with it. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-272182713 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ Let's not make @stlaz jump through more bike-shedding hoops. How about we let him finish this PR, and then address TLS versions, ciphers and other simplifications in another PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-272178840 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ @rcritten I wonder if we need to support any version except TLS 1.2 at all. Are there any versions of FreeIPA stack that do not have TLS 1.2 support? """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-272176995 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA rcritten commented: """ Wait, you added support for SSLv2? Please remove it, it isn't needed even for backwards compatibility and would not be considered a regression. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-272174784 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before Christmas. **edit:** https://bugzilla.redhat.com/show_bug.cgi?id=1410143 """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ I created the design for this effort: http://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-271845272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ I created the design for this effort: http://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-271845272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the last update I added SSLv2 support in IPAHTTPSConnection for backward compatibility (https://goo.gl/images/gqh2D9). I also removed the Fedora crypto policies ciphers as we are not supporting that right now and if we did, we should do that on server as well. There would perhaps be a ticket required. Also added a ticket to "Move RA agent certificate file export to a different location" as it fixes an issue with missing /etc/httpd/alias/kra-agent.pem as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-271560505 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ ``` ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.options = ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 try: # use Fedora crypto policy # https://fedoraproject.org/wiki/Changes/CryptoPolicy ctx.set_ciphers("PROFILE=SYSTEM") except ssl.SSLError: # high ciphers without RC4, MD5, TripleDES, pre-shared key and secure remote password ctx.set_ciphers("HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP") ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270659921 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before Christmas. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before Christmas. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA rcritten commented: """ Did you open a bug against NSS or python-nss regarding the PIN requirement? """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270382386 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ You're right, I should probably write some design. The current implementation does not check CRL or OSCP, so we're "fine" with this change. There is a plan on doing CRL check in certmonger, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270347796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ * Ticket 5695 is about ```FreeIPA on FIPS enabled systems```. Moving from NSS to OpenSSL is a big change and should be tracked by its own ticket. * Are customers fine with the fact that FreeIPA clients will no longer very CRLs? OpenSSL does not automatically download and verify CRLs. OCSP is not yet supported by Python's ssl module. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270335111 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ * Ticket 5695 looks wrong, it's about ```FreeIPA on FIPS enabled systems```. * Are customers fine with the fact that FreeIPA clients will no longer very CRLs? OpenSSL does not automatically download and verify CRLs. OCSP is not yet supported by Python's ssl module. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270335111 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code