Re: [Freeipa-devel] [PATCH] webui: 696 support wildcard attribute level rights
On 25.7.2014 22:25, Endi Sukma Dewata wrote: On 7/21/2014 6:35 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4380 You're right, there is an error. Attaching new version. The code is rewritten to be more comprehensible - use cases are in separate variables. ACK. The code now makes more sense. Pushed to: master: 855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d ipa-4-1: 855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d ipa-4-0: 8d4653537665ee7a9323e79eacbc3468df0ba394 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 709 webui: fix nested items creation in dropdown list
On 25.7.2014 22:25, Endi Sukma Dewata wrote: On 7/21/2014 6:51 AM, Petr Vobornik wrote: Items nested in other items were created in root list instead of nested list. Note: this feature is not used in current UI but it's likely to be used by a plugin ACK. Pushed to: ipa-4-0: 4bdc7a44e051a712995a0af44b798b72c8f9714a ipa-4-1: 4059aa12a4487c925472751b132842bdb0b16a02 master: 4059aa12a4487c925472751b132842bdb0b16a0 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 711 webui: internet explorer fixes
On 25.7.2014 22:26, Endi Sukma Dewata wrote: On 7/24/2014 11:36 AM, Petr Vobornik wrote: On 23.7.2014 15:17, Petr Vobornik wrote: Fixed: 1. IE doesn't support value 'initial' in CSS rule. 2. setting innerHTML='' also destroys content of child nodes in LoginScreen in IE - reattached buttons have no text. Should go into 4.0 Milestone Found an issue in the implementation, new version attached. ACK. Pushed to: ipa-4-0: f1b4dfcfe1b734520c6c3e950696735919317a16 ipa-4-1: fb975bba2076758f0615dae042aed2cde705a1b0 master: fb975bba2076758f0615dae042aed2cde705a1b0 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 webui: detach facet nodes
On 25.7.2014 22:27, Endi Sukma Dewata wrote: On 7/23/2014 8:25 AM, Petr Vobornik wrote: Detach/attach facet nodes when switching facets instead of hiding/showing. Keeps dom-tree more simple. This patch is not really needed. I implemented it while testing something in IE. But it might have positive effect for poorly written parts of Web UI(if there are any :) ) or plugins. Basically it simplifies DOM tree to contain nodes only for the active facet. Therefore ugly expressions like $('button .foobar') are much more performant. ACK. In the future the entire facet itself probably can even be loaded dynamically, so this is a step in that direction. The facet element itself probably can be merged with the content element since there's only one facet/content at any time. Pushed to: ipa-4-0: ee61651bc9667462dec8e6dd2e64dbfeb249deed ipa-4-1: 9aed114d822efb0eaa01d93624bc0ea6612c4169 master: 9aed114d822efb0eaa01d93624bc0ea6612c4169 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 713-714 webui: replace action_buttons with action_widget
On 25.7.2014 22:27, Endi Sukma Dewata wrote: On 7/23/2014 8:26 AM, Petr Vobornik wrote: [PATCH] 713 webui: replace action_buttons with action_widget Simplify code base by reuse of 'disable' feature of button_widget. All occurrences of action-button which were disabled/enabled were replaced by button-widget. https://fedorahosted.org/freeipa/ticket/4258 [PATCH] 714 webui: remove remaining action-button-disabled occurrences Buttons in hbactest check for 'action-button-disabled' but it's never set. https://fedorahosted.org/freeipa/ticket/4258 ACK. pushed to: master: * 3966417779910a7f8ced411cbcdac4cb04145038 webui: replace action_buttons with action_widget * ac7df79a43732cead50f83e31220b0bf2d0230f4 webui: remove remaining action-button-disabled occurrences ipa-4-1: * 3966417779910a7f8ced411cbcdac4cb04145038 webui: replace action_buttons with action_widget * ac7df79a43732cead50f83e31220b0bf2d0230f4 webui: remove remaining action-button-disabled occurrences ipa-4-0: * 9cbe6b16c7c5cb63ab2dd6da4a7103ef5ba3e4cb webui: replace action_buttons with action_widget * bf9c254c9780e3bc485e9a8fb613a3dd31b3a568 webui: remove remaining action-button-disabled occurrences -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 webui: add bounce url to reset_password.html
On 25.7.2014 22:27, Endi Sukma Dewata wrote: On 7/23/2014 9:59 AM, Petr Vobornik wrote: reset_password.html now redirects browser to URL specified in 'redirect' uri component (if present). The component has to be URI encoded. ie (in browser console): $ encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging') -- http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging -- https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging https://fedorahosted.org/freeipa/ticket/4440 ACK. Pushed to: master: 8288135b5b218cd63d5f5bfba59f6d1f9657af2d ipa-4-1: 8288135b5b218cd63d5f5bfba59f6d1f9657af2d Not closing the ticket yet. Just one thing, there is no pause between clicking the Reset button and the redirection, so the Password reset was successful. confirmation message might only appear very briefly. A possible alternative is to show a confirmation page/message, but the user will have to click to continue to the next page. I don't believe there is a universal solution. I would say that it depends on personal preferences and a use case. I.e., if it's part of a login procedure I would prefer immediate redirection back to login page. If it's invoked from a user action - just to change the password, some delay might be good. We might add a URL param(s) to configure the delay/link. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] LDAP schema for DNSSEC keys
On Fri, 2014-07-25 at 19:26 +0200, Petr Spacek wrote: I have updated design page and diagrams: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#LDAPschema Excellent page, I took a full read and it all seem reasonable. However I would like a page like this with the detailed summary of key material handling. This is important to get right and have documented anyway so if someone could summarize in detail all the key handling I would be happy to do a detailed review and think carefully about the security stance of the final solution we agreed on. If we can do this early it would be better to avoid costly rewrites should we have forgotten/underestimated some implementation detail that requires changes. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0243] ipalib: idrange: Make non-implemented range types fail the
On 07/21/2014 09:59 AM, Jan Cholasta wrote: Hi, On 16.7.2014 14:05, Tomas Babej wrote: Hi, The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to pass the validation tests, however, they are not implemented nor checked by the 389 server plugin. https://fedorahosted.org/freeipa/ticket/4323 ACK. Pushed to: master: e74307caa6daf1e7e261ff481f6c5b089df82f57 ipa-4-1: e74307caa6daf1e7e261ff481f6c5b089df82f57 ipa-4-0: fb89a774e331c3b3eb70950911e4136a7e1f141b -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 710 webui: review pending operation after expired session
On 25.7.2014 22:26, Endi Sukma Dewata wrote: On 7/23/2014 8:16 AM, Petr Vobornik wrote: Disable automatic re-execution of command after pending authentication. It's possible to enable it again globally by 'freeipa/config':`rpc_retry_auth`. https://fedorahosted.org/freeipa/ticket/4374 # Additional info: This ticket is in 4.0 stabilization milestone. I don't think it's the best fit. It has a potential to break things. It's also harder to test because integration tests don't test it - one has to remove session cookie every time and then react appropriately. It's also first usage of ./config module (other items there are not used). This module was originally implemented to contain global webui config which could be overwritten by config configured on server, ie for disabling paging in large deployments. The server part doesn't exist yet. Other reason is to split ipa.js into more single-purpose files. It works a little bit differently than expected. Right now suppose I'm trying to delete a user, I have the delete dialog open and I let it sit until the session expires, then when I click Delete it will show me a login screen. Once I re-login, the dialog box is gone. It still has the user to be deleted selected, but there's no indication what the operation I was trying to do before. I was thinking the session expiration would work like desktop screensaver lock. So when I re-login I would see same screen as I left it, i.e. the delete dialog is still waiting for action. Components have not been made with this feature in mind. Take for example the delete issue. Deleter dialog is a subclass of confirm dialog. Confirm dialog is closed right after confirmation/cancellation. It doesn't wait for the result of the operation because it's handled by other components. The behavior was OK so far because we showed error dialog on normal error. On auth error, the command was re-executed. Now we don't show any error on auth error nor we leave the dialog open. Seems like that we should change all usages of confirm dialog to try to do the operation first and close the dialog after the operation was successful or canceled. But this is only one set of use cases. There might/will be others we don't know about atm. Proper solution is to test all Web UI features (or feature sets) with expired session (deletion of cookie) and identify the issues. Then address the identified issues - much bigger task then this simple patch. I think it is not good to push this patch without fixing the issues and definitely not into stabilization release (4.0). I propose to move this ticket into 4.1 or maybe even 4.2. Fix other tickets in the milestone and then return to this one. I'm giving it lower priority because I didn't see many people complaining about current behavior. The patch itself is fine, so it's ACKed, but I'll let you decide if this is sufficient to close the bug. I'll postpone the push until solution for the issue above is made. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0101] Allow to add host if AAAA record exists
On 07/09/2014 06:29 PM, Martin Basti wrote: Patch attached. Ticket: https://fedorahosted.org/freeipa/ticket/4164 Looks works fine for me. Can you also add a test for this? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 webui: detach facet nodes
On 25.7.2014 22:27, Endi Sukma Dewata wrote: On 7/23/2014 8:25 AM, Petr Vobornik wrote: Detach/attach facet nodes when switching facets instead of hiding/showing. Keeps dom-tree more simple. This patch is not really needed. I implemented it while testing something in IE. But it might have positive effect for poorly written parts of Web UI(if there are any :) ) or plugins. Basically it simplifies DOM tree to contain nodes only for the active facet. Therefore ugly expressions like $('button .foobar') are much more performant. ACK. In the future the entire facet itself probably can even be loaded dynamically, so this is a step in that direction. The facet element itself probably can be merged with the content element since there's only one facet/content at any time. Btw, what do you mean by loaded dynamically? Loading of source files on demand or just instantiating of facets or something else? The latter is partially implemented (facets of given entity are instantiated when one of them is requested). Loading of source files might be little bit more difficult since we have entity-centered sources and some information from all entities are required right at the start of the app, e.g. for menu. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0242] Set the default attributes for RootDSE
On 07/15/2014 09:13 AM, Tomas Babej wrote: Hi, With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr attribute to enumerate the list of attributes that should be returned even if not specified explicitly. Use the behaviour to get the same attributes returned from searches on rootDSE as in 1.3.1. https://fedorahosted.org/freeipa/ticket/4288 This fails with an older DS version. Running transaction (shutdown inhibited) Updating : freeipa-python-4.0.0GITa2b91d7-0.fc20.x86_64 1/14 Updating : freeipa-client-4.0.0GITa2b91d7-0.fc20.x86_64 2/14 Could not load host key: /etc/ssh/ssh_host_dsa_key Updating : freeipa-admintools-4.0.0GITa2b91d7-0.fc20.x86_64 3/14 Updating : freeipa-server-4.0.0GITa2b91d7-0.fc20.x86_64 4/14 Updating : freeipa-server-trust-ad-4.0.0GITa2b91d7-0.fc20.x86_64 5/14 Updating : freeipa-tests-4.0.0GITa2b91d7-0.fc20.x86_64 6/14 Updating : freeipa-debuginfo-4.0.0GITa2b91d7-0.fc20.x86_64 7/14 Cleanup: freeipa-tests-4.0.0GIT06aa522-0.fc20.x86_64 8/14 Cleanup: freeipa-debuginfo-4.0.0GIT06aa522-0.fc20.x86_64 9/14 Cleanup: freeipa-server-trust-ad-4.0.0GIT06aa522-0.fc20.x86_64 10/14 Cleanup: freeipa-server-4.0.0GIT06aa522-0.fc20.x86_64 11/14 Cleanup: freeipa-admintools-4.0.0GIT06aa522-0.fc20.x86_64 12/14 Cleanup: freeipa-client-4.0.0GIT06aa522-0.fc20.x86_64 13/14 Cleanup: freeipa-python-4.0.0GIT06aa522-0.fc20.x86_64 14/14 Upgrade failed with attribute nsslapd-return-default-opattr not allowed IPA upgrade failed. You'll need to update the spec file too, at least. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0243] ipalib: idrange: Make non-implemented range types fail the
On 07/28/2014 12:19 PM, Petr Viktorin wrote: On 07/21/2014 09:59 AM, Jan Cholasta wrote: Hi, On 16.7.2014 14:05, Tomas Babej wrote: Hi, The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to pass the validation tests, however, they are not implemented nor checked by the 389 server plugin. https://fedorahosted.org/freeipa/ticket/4323 ACK. Pushed to: master: e74307caa6daf1e7e261ff481f6c5b089df82f57 ipa-4-1: e74307caa6daf1e7e261ff481f6c5b089df82f57 ipa-4-0: fb89a774e331c3b3eb70950911e4136a7e1f141b You forgot to update API.txt. Fixed with the attached patch, pushed as a one-liner to: master: ab5edd0e450fdd926b7c49535424149413c3f956 ipa-4-1: ab5edd0e450fdd926b7c49535424149413c3f956 ipa-4-0: 4baf1531581bbc5d075d46a832ca139edc8e75d3 -- Petr³ From a0a2229a66472c7e7cb20736fa12a816ba9527e2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 28 Jul 2014 15:12:59 +0200 Subject: [PATCH] Update API.txt Additional fix for https://fedorahosted.org/freeipa/ticket/4323 --- API.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 04107281e7a0c9d097685c279002217766f262dd..d731881eea39fb0ed2210d1a6b04739f6cd7f29b 100644 --- a/API.txt +++ b/API.txt @@ -2038,7 +2038,7 @@ command: idrange_add option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False) option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) -option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust')) +option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local')) option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -2063,7 +2063,7 @@ command: idrange_find option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) -option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust')) +option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local')) option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0102-0103 DNS upgrade: add missing tests if DNS is installed
On 07/23/2014 03:06 PM, Martin Basti wrote: This should be applied in 4.0.x, 4.1, master Patches attached Thanks! ACK, pushed to: master: 42d035f64c4d41bbae5fe061805b2de6febe2c7e ipa-4-0: 1f5ad2e2cea55d6e059ee406822a30202e2bc0c6 ipa-4-1: 42d035f64c4d41bbae5fe061805b2de6febe2c7e -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0007 test group: remove group from protected group
On 07/24/2014 03:11 PM, David Kupka wrote: Simple test scenario from ticket #4448. Last test will fail until patch freeipa-dkupka-0006 gets accepted. Thanks! These look fine, but since the new tests don't require that the rest of `test_group` is run first, I encourage you to put them in a separate class. This would ensure we don't add new inderdependencies between old and new tests in the future, making future test refactoring more straightforward. Also, you can select to run just a single test class from a module, so testing a targeted fix is faster. (And you can reuse group1, since the other test cleans it up) See test_permission_plugin for an example. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 710 webui: review pending operation after expired session
On 7/28/2014 6:06 AM, Petr Vobornik wrote: Right now suppose I'm trying to delete a user, I have the delete dialog open and I let it sit until the session expires, then when I click Delete it will show me a login screen. Once I re-login, the dialog box is gone. It still has the user to be deleted selected, but there's no indication what the operation I was trying to do before. I was thinking the session expiration would work like desktop screensaver lock. So when I re-login I would see same screen as I left it, i.e. the delete dialog is still waiting for action. Components have not been made with this feature in mind. Take for example the delete issue. Deleter dialog is a subclass of confirm dialog. Confirm dialog is closed right after confirmation/cancellation. It doesn't wait for the result of the operation because it's handled by other components. The behavior was OK so far because we showed error dialog on normal error. On auth error, the command was re-executed. Now we don't show any error on auth error nor we leave the dialog open. Seems like that we should change all usages of confirm dialog to try to do the operation first and close the dialog after the operation was successful or canceled. Not sure about that. If you're adding a user that already exists, you'll get an error dialog, but then if you click Cancel you'll go back to the same add dialog. That allows you to revise the info you entered. Can we use the same concept for session expiration? So instead of an error dialog you'll get a login screen. If you relogin as the same person, you'll go back to the same dialog with whatever info you already entered. This is a low priority regardless. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 webui: add bounce url to reset_password.html
On 7/28/2014 3:58 AM, Petr Vobornik wrote: Just one thing, there is no pause between clicking the Reset button and the redirection, so the Password reset was successful. confirmation message might only appear very briefly. A possible alternative is to show a confirmation page/message, but the user will have to click to continue to the next page. I don't believe there is a universal solution. I would say that it depends on personal preferences and a use case. I.e., if it's part of a login procedure I would prefer immediate redirection back to login page. If it's invoked from a user action - just to change the password, some delay might be good. We might add a URL param(s) to configure the delay/link. How about 2 URL params? 1. the link to the next page 2. an option whether to a) redirect to the link immediately b) show a confirmation page with the link Just my preference, but I don't really like a 'delay' on a web page. It's either too short or too long, and we can't put important info during the delay because there's no guarantee people will see it. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 309 Check if /root/ipa.csr exists when installing server with external CA
On 07/24/2014 04:42 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4303. Honza Thanks! ACK, pushed to: master: 131353773643c5a7e0b155486759e6f6103cbee4 ipa-4-1: 131353773643c5a7e0b155486759e6f6103cbee4 ipa-4-0: 28aed7b89597ee54a7b3de9b17ca426b712761ce -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 310 Exclude attributelevelrights from --raw result processing in baseldap
On 07/24/2014 05:33 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4371. Honza NACK If the value *is* a str, with this patch it ends up undefined. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 22.7.2014 15:21, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 2.7.2014 19:37, Jan Cholasta wrote: On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Still haven't figured this out, unfortunately. Fixed. Part of the problem was that the validation code I used on CA certificates was too tolerant (fixed in patches 249 and 251). Another part was the NSS validation code that Dogtag uses requires the issuing CA to be present in the NSS database (fixed in patch 306). Finally, Dogtag uses default NSS certificate path validation, which means you have to either keep all versions of the CA certificate in the NSS database, or enable PKIX path validation in NSS. Certmonger does not like having multiple versions of a certificate it is tracking in the database, so I have gone the PKIX route (patch 307). Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA certificates on master. Updated rebased patches attached. The correct order to apply is 295-294, 303-305, 295-299. 251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? Oops, I forgot to mention that, I guess I shouldn't post patches at such late hour :) Sorry. ipaCACertRenewal should be used only for automatic renewal, not for manual. It calls caCACert and ipaRetrieval internally, but there are some conditions, which don't apply to manual renewal. It's a change I forgot to make before, so I made it now when I noticed it. ipaRetrieval fetches the certificate from cn=ca_renewal, i.e. what dogtag-ipa-retrieve-agent-submit used to do. ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. Yes. It is a poor man's solution, but it would take time to make something better. (I can deal with nickname conflicts rather easy by renaming the certificates, but handling subject conflict would require removing the old certificate from the certificate store, which is not yet supported.) Fixed missing exit. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. I switched to overwriting the file instead. It is created/written a few lines above, so if it shall fail, it will fail there. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1046, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 489, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. I haven't gotten much further than this. I spent some time trying to find the a change that would cause it and came up empty. Once this bug shows, it always shows, but it can go away at times too which is just blowing my little mind. For example, I tried rolling the patches back one at a time (revert, build, install, repeat). It failed even back to the point where I knew things should be working. I installed