Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-30 Thread Jan Cholasta 

Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a):

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):

This is oh-so close. AFAICT it generally does what it should, I think it
is ready for a wider audience. Just a few more things:

306: A while True loop is used for something which AFAICT can only ever
execute once. I'd think something like this is more readable:

for ca_nick, ca_flags in db.list_certs():
  if db.has_nickname(ca_cert):
  try:
  db.delete_cert(ca_nick)
  except ipautil.CalledProcessError:
  syslog.syslog(
  syslog.LOG_ERR,
  Failed to remove certificate %s % ca_nick)


Actually the while loop is necessary, because certutil -D (and in turn
CertDB.delete_cert) deletes just a single cert with the nickname, but
there may be more versions of it and we need to delete them all.


Aha, excellent point. This would be a great comment in the code!



+1 on the additional syslogs. It will help figure out what's going on if
things go sideways.

Otherwise things seem to be working. I think that fixing the above is
enough for a +57 with the promise of unit tests to back up some of these
new functions.


I'm working on that.



rob
rob



I have made a slight adjustment to patch 246 because of
https://fedorahosted.org/freeipa/ticket/4039, see
http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.

Updated rebased patches attached.

(once again, the correct order to apply them is 241-253, 262-294,
303-305, 295-299, 306-307)



ACK on 246.

IMHO this is ready to be pushed if you can add the comment on 306.


Added. Updated patch attached.



A slight rebase on 251 is needed for freeipa.spec.in.


Oh, or maybe not since you sent the whole shebang. I just did an
interdiff of the current and old 246.


Yep, I remember fixing this particular merge conflict.



rob




--
Jan Cholasta
From f906b9c8c6143e6a4b23fb7db16dc9855c7ef684 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 23 Jul 2014 13:25:22 +0200
Subject: [PATCH 55/56] Update external CA cert in Dogtag NSS DB on IPA CA cert
 renewal.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 install/restart_scripts/renew_ca_cert | 71 ++-
 1 file changed, 62 insertions(+), 9 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 3814b81..2ad2038 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -121,23 +121,76 @@ def main():
 else:
 syslog.syslog(syslog.LOG_NOTICE, Not updating CS.cfg)
 
-# Update CA certificate in LDAP
-if ca.is_renewal_master():
-try:
-conn = ldap2(shared_instance=False,
- ldap_uri=api.env.ldap_uri)
-conn.connect(ccache=ccache)
-
+# Remove old external CA certificates
+for ca_nick, ca_flags in db.list_certs():
+if 'u' in ca_flags:
+continue
+# Delete *all* certificates that use the nickname
+while True:
+try:
+db.delete_cert(ca_nick)
+except ipautil.CalledProcessError:
+syslog.syslog(
+syslog.LOG_ERR,
+Failed to remove certificate %s % ca_nick)
+break
+if not db.has_nickname(ca_nick):
+break
+
+conn = None
+try:
+conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+conn.connect(ccache=ccache)
+except Exception, e:
+syslog.syslog(
+syslog.LOG_ERR, Failed to connect to LDAP: %s % e)
+else:
+# Update CA certificate in LDAP
+if ca.is_renewal_master():
 try:
 certstore.update_ca_cert(conn, api.env.basedn, cert)
 except errors.EmptyModlist:
 pass
+except Exception, e:
+syslog.syslog(
+syslog.LOG_ERR,
+Updating CA certificate failed: %s % e)
 
-conn.disconnect()
+# Add external CA certificates
+ca_issuer = str(x509.get_issuer(cert, x509.DER))
+try:
+ca_certs = certstore.get_ca_certs(
+conn, api.env.basedn, api.env.realm, False,
+filter_subject=ca_issuer)
 except Exception, e:
 syslog.syslog(
 syslog.LOG_ERR,
-Updating CA certificate failed: %s % e)
+

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-30 Thread Rob Crittenden 
Jan Cholasta wrote:
 Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a):
 Rob Crittenden wrote:
 Jan Cholasta wrote:
 Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):
 This is oh-so close. AFAICT it generally does what it should, I
 think it
 is ready for a wider audience. Just a few more things:

 306: A while True loop is used for something which AFAICT can only
 ever
 execute once. I'd think something like this is more readable:

 for ca_nick, ca_flags in db.list_certs():
   if db.has_nickname(ca_cert):
   try:
   db.delete_cert(ca_nick)
   except ipautil.CalledProcessError:
   syslog.syslog(
   syslog.LOG_ERR,
   Failed to remove certificate %s % ca_nick)

 Actually the while loop is necessary, because certutil -D (and in turn
 CertDB.delete_cert) deletes just a single cert with the nickname, but
 there may be more versions of it and we need to delete them all.

 Aha, excellent point. This would be a great comment in the code!


 +1 on the additional syslogs. It will help figure out what's going
 on if
 things go sideways.

 Otherwise things seem to be working. I think that fixing the above is
 enough for a +57 with the promise of unit tests to back up some of
 these
 new functions.

 I'm working on that.


 rob
 rob


 I have made a slight adjustment to patch 246 because of
 https://fedorahosted.org/freeipa/ticket/4039, see
 http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.

 Updated rebased patches attached.

 (once again, the correct order to apply them is 241-253, 262-294,
 303-305, 295-299, 306-307)


 ACK on 246.

 IMHO this is ready to be pushed if you can add the comment on 306.
 
 Added. Updated patch attached.
 

 A slight rebase on 251 is needed for freeipa.spec.in.

 Oh, or maybe not since you sent the whole shebang. I just did an
 interdiff of the current and old 246.
 
 Yep, I remember fixing this particular merge conflict.

ACK

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-30 Thread Jan Cholasta 

Dne 30.7.2014 v 14:47 Rob Crittenden napsal(a):

Jan Cholasta wrote:

Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a):

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):

This is oh-so close. AFAICT it generally does what it should, I
think it
is ready for a wider audience. Just a few more things:

306: A while True loop is used for something which AFAICT can only
ever
execute once. I'd think something like this is more readable:

for ca_nick, ca_flags in db.list_certs():
   if db.has_nickname(ca_cert):
   try:
   db.delete_cert(ca_nick)
   except ipautil.CalledProcessError:
   syslog.syslog(
   syslog.LOG_ERR,
   Failed to remove certificate %s % ca_nick)


Actually the while loop is necessary, because certutil -D (and in turn
CertDB.delete_cert) deletes just a single cert with the nickname, but
there may be more versions of it and we need to delete them all.


Aha, excellent point. This would be a great comment in the code!



+1 on the additional syslogs. It will help figure out what's going
on if
things go sideways.

Otherwise things seem to be working. I think that fixing the above is
enough for a +57 with the promise of unit tests to back up some of
these
new functions.


I'm working on that.



rob
rob



I have made a slight adjustment to patch 246 because of
https://fedorahosted.org/freeipa/ticket/4039, see
http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.

Updated rebased patches attached.

(once again, the correct order to apply them is 241-253, 262-294,
303-305, 295-299, 306-307)



ACK on 246.

IMHO this is ready to be pushed if you can add the comment on 306.


Added. Updated patch attached.



A slight rebase on 251 is needed for freeipa.spec.in.


Oh, or maybe not since you sent the whole shebang. I just did an
interdiff of the current and old 246.


Yep, I remember fixing this particular merge conflict.


ACK

rob



Thank you for the review.

(please push in this order: 241-253, 262-294, 303-305, 295-299, 306-307)

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-30 Thread Petr Viktorin 

On 07/30/2014 02:51 PM, Jan Cholasta wrote:

Dne 30.7.2014 v 14:47 Rob Crittenden napsal(a):

Jan Cholasta wrote:

Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a):

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):

This is oh-so close. AFAICT it generally does what it should, I
think it
is ready for a wider audience. Just a few more things:

306: A while True loop is used for something which AFAICT can only
ever
execute once. I'd think something like this is more readable:

for ca_nick, ca_flags in db.list_certs():
   if db.has_nickname(ca_cert):
   try:
   db.delete_cert(ca_nick)
   except ipautil.CalledProcessError:
   syslog.syslog(
   syslog.LOG_ERR,
   Failed to remove certificate %s % ca_nick)


Actually the while loop is necessary, because certutil -D (and in
turn
CertDB.delete_cert) deletes just a single cert with the nickname, but
there may be more versions of it and we need to delete them all.


Aha, excellent point. This would be a great comment in the code!



+1 on the additional syslogs. It will help figure out what's going
on if
things go sideways.

Otherwise things seem to be working. I think that fixing the
above is
enough for a +57 with the promise of unit tests to back up some of
these
new functions.


I'm working on that.



rob
rob



I have made a slight adjustment to patch 246 because of
https://fedorahosted.org/freeipa/ticket/4039, see
http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.


Updated rebased patches attached.

(once again, the correct order to apply them is 241-253, 262-294,
303-305, 295-299, 306-307)



ACK on 246.

IMHO this is ready to be pushed if you can add the comment on 306.


Added. Updated patch attached.



A slight rebase on 251 is needed for freeipa.spec.in.


Oh, or maybe not since you sent the whole shebang. I just did an
interdiff of the current and old 246.


Yep, I remember fixing this particular merge conflict.


ACK

rob



Thank you for the review.

(please push in this order: 241-253, 262-294, 303-305, 295-299, 306-307)



Pushed to:
master: 044c5c833a83a541f97785279acfe8e113035b3d
ipa-4-1: 044c5c833a83a541f97785279acfe8e113035b3d


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-29 Thread Rob Crittenden 
Jan Cholasta wrote:
 Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):
 This is oh-so close. AFAICT it generally does what it should, I think it
 is ready for a wider audience. Just a few more things:

 306: A while True loop is used for something which AFAICT can only ever
 execute once. I'd think something like this is more readable:

 for ca_nick, ca_flags in db.list_certs():
  if db.has_nickname(ca_cert):
  try:
  db.delete_cert(ca_nick)
  except ipautil.CalledProcessError:
  syslog.syslog(
  syslog.LOG_ERR,
  Failed to remove certificate %s % ca_nick)
 
 Actually the while loop is necessary, because certutil -D (and in turn
 CertDB.delete_cert) deletes just a single cert with the nickname, but
 there may be more versions of it and we need to delete them all.

Aha, excellent point. This would be a great comment in the code!


 +1 on the additional syslogs. It will help figure out what's going on if
 things go sideways.

 Otherwise things seem to be working. I think that fixing the above is
 enough for a +57 with the promise of unit tests to back up some of these
 new functions.
 
 I'm working on that.
 

 rob
 rob

 
 I have made a slight adjustment to patch 246 because of
 https://fedorahosted.org/freeipa/ticket/4039, see
 http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.
 
 Updated rebased patches attached.
 
 (once again, the correct order to apply them is 241-253, 262-294,
 303-305, 295-299, 306-307)
 

ACK on 246.

IMHO this is ready to be pushed if you can add the comment on 306.

A slight rebase on 251 is needed for freeipa.spec.in.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-29 Thread Rob Crittenden 
Rob Crittenden wrote:
 Jan Cholasta wrote:
 Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):
 This is oh-so close. AFAICT it generally does what it should, I think it
 is ready for a wider audience. Just a few more things:

 306: A while True loop is used for something which AFAICT can only ever
 execute once. I'd think something like this is more readable:

 for ca_nick, ca_flags in db.list_certs():
  if db.has_nickname(ca_cert):
  try:
  db.delete_cert(ca_nick)
  except ipautil.CalledProcessError:
  syslog.syslog(
  syslog.LOG_ERR,
  Failed to remove certificate %s % ca_nick)

 Actually the while loop is necessary, because certutil -D (and in turn
 CertDB.delete_cert) deletes just a single cert with the nickname, but
 there may be more versions of it and we need to delete them all.
 
 Aha, excellent point. This would be a great comment in the code!
 

 +1 on the additional syslogs. It will help figure out what's going on if
 things go sideways.

 Otherwise things seem to be working. I think that fixing the above is
 enough for a +57 with the promise of unit tests to back up some of these
 new functions.

 I'm working on that.


 rob
 rob


 I have made a slight adjustment to patch 246 because of
 https://fedorahosted.org/freeipa/ticket/4039, see
 http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html.

 Updated rebased patches attached.

 (once again, the correct order to apply them is 241-253, 262-294,
 303-305, 295-299, 306-307)

 
 ACK on 246.
 
 IMHO this is ready to be pushed if you can add the comment on 306.
 
 A slight rebase on 251 is needed for freeipa.spec.in.

Oh, or maybe not since you sent the whole shebang. I just did an
interdiff of the current and old 246.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-28 Thread Rob Crittenden 
Jan Cholasta wrote:
 On 22.7.2014 15:21, Rob Crittenden wrote:
 Rob Crittenden wrote:
 Jan Cholasta wrote:
 On 2.7.2014 19:37, Jan Cholasta wrote:
 On 2.7.2014 19:08, Rob Crittenden wrote:
 Trimming to respond to your questions.
 Not sure if this is related:
 # pki cert-find
 PKIException: Internal Server Error

 I'm pretty sure the cert-find error is related to the fact that I
 had a
 test build of dogtag installed, so that can be ignored.

 It does not work for me as well, with the current F20 dogtag packages,
 but like I said, it worked some time ago.

 Still haven't figured this out, unfortunately.
 
 Fixed. Part of the problem was that the validation code I used on CA
 certificates was too tolerant (fixed in patches 249 and 251). Another
 part was the NSS validation code that Dogtag uses requires the issuing
 CA to be present in the NSS database (fixed in patch 306). Finally,
 Dogtag uses default NSS certificate path validation, which means you
 have to either keep all versions of the CA certificate in the NSS
 database, or enable PKIX path validation in NSS. Certmonger does not
 like having multiple versions of a certificate it is tracking in the
 database, so I have gone the PKIX route (patch 307).
 

 Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
 certificates on master.

 Updated rebased patches attached. The correct order to apply is
 295-294,
 303-305, 295-299.


 251 I'm a little confused about the profile names. I see you changed the
 renewal profile from ipaCACertRenewal to caCACert which I guess makes
 sense. I don't see a ipaCACertRenewal profile. There is still a
 reference to a ipaRetrieval profile, what is that?
 
 Oops, I forgot to mention that, I guess I shouldn't post patches at such
 late hour :) Sorry.
 
 ipaCACertRenewal should be used only for automatic renewal, not for
 manual. It calls caCACert and ipaRetrieval internally, but there are
 some conditions, which don't apply to manual renewal. It's a change I
 forgot to make before, so I made it now when I noticed it. ipaRetrieval
 fetches the certificate from cn=ca_renewal, i.e. what
 dogtag-ipa-retrieve-agent-submit used to do.
 

 ACK to the changes in 291

 299 I guess you added the check for existing certs to avoid conflicts? I
 guess it means that a user is hosed if they chose the same name for
 their CA that we use? I think you're missing a sys.exit(1) here.
 
 Yes. It is a poor man's solution, but it would take time to make
 something better. (I can deal with nickname conflicts rather easy by
 renaming the certificates, but handling subject conflict would require
 removing the old certificate from the certificate store, which is not
 yet supported.)
 
 Fixed missing exit.
 

 303 Looks good. The man page is still a little thin

 304 Not to be too pedantic but if removing the old CACERT fails
 (SELinux, immutable file) then the install will blow up and this is the
 very end. I think the removal should happen earlier, before anything
 else happens. That way at least you don't wait 10 minuts to find out the
 install failed.
 
 I switched to overwriting the file instead. It is created/written a few
 lines above, so if it shall fail, it will fail there.
 

 305 ACK

 I didn't have a ton of time to test but a basic install fails with:

 2014-07-03T21:44:49Z DEBUG stderr=
 2014-07-03T21:44:49Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 640, in run_script
  return_value = main_function()

File /usr/sbin/ipa-server-install, line 1046, in main
  dm_password, subject_base=options.subject)

File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 489, in configure_instance
  self.start_creation(runtime=210)

File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
  method()

File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 1041, in __import_ca_chain
  (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])

File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py,
 line 79, in get_cert_nickname
  nsscert = x509.load_certificate(cert)

File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in
 load_certificate
  return nss.Certificate(buffer(data))

 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
 exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
 attempting to import a cert with the same issuer/serial as an existing
 cert, but that is not the same cert.

 I haven't gotten much further than this. I spent some time trying to
 find the a change that would cause it and came up empty. Once this bug
 shows, it always shows, but it can go away at times too which is just
 blowing my little mind.

 For example, I tried rolling the patches back one at a time (revert,
 build, install, repeat). It failed even back to the point where I knew
 things should be working. I installed

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-22 Thread Rob Crittenden 
Rob Crittenden wrote:
 Jan Cholasta wrote:
 On 2.7.2014 19:37, Jan Cholasta wrote:
 On 2.7.2014 19:08, Rob Crittenden wrote:
 Trimming to respond to your questions.
 Not sure if this is related:
 # pki cert-find
 PKIException: Internal Server Error

 I'm pretty sure the cert-find error is related to the fact that I had a
 test build of dogtag installed, so that can be ignored.

 It does not work for me as well, with the current F20 dogtag packages,
 but like I said, it worked some time ago.

 Still haven't figured this out, unfortunately.

 Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
 certificates on master.

 Updated rebased patches attached. The correct order to apply is 295-294,
 303-305, 295-299.

 
 251 I'm a little confused about the profile names. I see you changed the
 renewal profile from ipaCACertRenewal to caCACert which I guess makes
 sense. I don't see a ipaCACertRenewal profile. There is still a
 reference to a ipaRetrieval profile, what is that?
 
 ACK to the changes in 291
 
 299 I guess you added the check for existing certs to avoid conflicts? I
 guess it means that a user is hosed if they chose the same name for
 their CA that we use? I think you're missing a sys.exit(1) here.
 
 303 Looks good. The man page is still a little thin
 
 304 Not to be too pedantic but if removing the old CACERT fails
 (SELinux, immutable file) then the install will blow up and this is the
 very end. I think the removal should happen earlier, before anything
 else happens. That way at least you don't wait 10 minuts to find out the
 install failed.
 
 305 ACK
 
 I didn't have a ton of time to test but a basic install fails with:
 
 2014-07-03T21:44:49Z DEBUG stderr=
 2014-07-03T21:44:49Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 640, in run_script
 return_value = main_function()
 
   File /usr/sbin/ipa-server-install, line 1046, in main
 dm_password, subject_base=options.subject)
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 489, in configure_instance
 self.start_creation(runtime=210)
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 method()
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 1041, in __import_ca_chain
 (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py,
 line 79, in get_cert_nickname
 nsscert = x509.load_certificate(cert)
 
   File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in
 load_certificate
 return nss.Certificate(buffer(data))
 
 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
 exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
 attempting to import a cert with the same issuer/serial as an existing
 cert, but that is not the same cert.

I haven't gotten much further than this. I spent some time trying to
find the a change that would cause it and came up empty. Once this bug
shows, it always shows, but it can go away at times too which is just
blowing my little mind.

For example, I tried rolling the patches back one at a time (revert,
build, install, repeat). It failed even back to the point where I knew
things should be working. I installed 3.3.5, then tried the current
build, which had failed before, and it worked. So there is some odd
transient thing going on that I can't wrap my head around.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-03 Thread Rob Crittenden 
Jan Cholasta wrote:
 On 2.7.2014 19:37, Jan Cholasta wrote:
 On 2.7.2014 19:08, Rob Crittenden wrote:
 Trimming to respond to your questions.
 Not sure if this is related:
 # pki cert-find
 PKIException: Internal Server Error

 I'm pretty sure the cert-find error is related to the fact that I had a
 test build of dogtag installed, so that can be ignored.

 It does not work for me as well, with the current F20 dogtag packages,
 but like I said, it worked some time ago.
 
 Still haven't figured this out, unfortunately.
 
 Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
 certificates on master.
 
 Updated rebased patches attached. The correct order to apply is 295-294,
 303-305, 295-299.
 

251 I'm a little confused about the profile names. I see you changed the
renewal profile from ipaCACertRenewal to caCACert which I guess makes
sense. I don't see a ipaCACertRenewal profile. There is still a
reference to a ipaRetrieval profile, what is that?

ACK to the changes in 291

299 I guess you added the check for existing certs to avoid conflicts? I
guess it means that a user is hosed if they chose the same name for
their CA that we use? I think you're missing a sys.exit(1) here.

303 Looks good. The man page is still a little thin

304 Not to be too pedantic but if removing the old CACERT fails
(SELinux, immutable file) then the install will blow up and this is the
very end. I think the removal should happen earlier, before anything
else happens. That way at least you don't wait 10 minuts to find out the
install failed.

305 ACK

I didn't have a ton of time to test but a basic install fails with:

2014-07-03T21:44:49Z DEBUG stderr=
2014-07-03T21:44:49Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 640, in run_script
return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1046, in main
dm_password, subject_base=options.subject)

  File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
489, in configure_instance
self.start_creation(runtime=210)

  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
method()

  File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
1041, in __import_ca_chain
(rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])

  File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py,
line 79, in get_cert_nickname
nsscert = x509.load_certificate(cert)

  File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in
load_certificate
return nss.Certificate(buffer(data))

2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
attempting to import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-02 Thread Jan Cholasta 

On 28.6.2014 00:19, Rob Crittenden wrote:


I'm going to consolidate all reviews for 241 - 303 here. I'm not doing
this in any particular order.


OK, I will send further patches only in this thread.





Missing man page for ipa-certupdate


I did not want to delay the patch, so I have sent it without man page. 
Will fix.






Not a very nice error from ipa-cacert-manage install when loading a bad
cert:

# ipa-cacert-manage install /etc/group
Installing CA certificate, please wait
(SEC_ERROR_INVALID_ARGS) security library: invalid arguments.


Right. Fixed.



The ipa-cacert-manage makes no mention of changing the cert chaining. It
just adds the options, not what they do. Here is what happened when I
tried it:

# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run
ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate
--external-ca-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful
[ go off and sign it ]
# ipa-cacert-manage renew --external-cert-file=/home/rcrit/ca_db/ipa.crt
--external-ca-file=/home/rcrit/ca_db/ca.crt
Importing the renewed CA certificate, please wait
Resubmitting certmonger request '20140627134654' timed out, please check
the request manually

The request was actually in MONITORING, so ok.

But the CA is now not working

# ipa cert-request --principal test/`hostname` csr
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)

# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)

The CA database doesn't have my external CA

# certutil -Ld /etc/pki/pki-tomcat/alias/

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u

Not sure if this is related:
# pki cert-find
PKIException: Internal Server Error


The problem is not in the missing external CA cert (the CA always worked 
fine without it for me, so I never bothered adding it). The problem is 
that Dogtag can't connect to DS, because it does not like its server 
certificate. Which is weird, because when I try doing the same using 
ldapsearch everything seems to work fine:


# LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias 
LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H ldaps://$HOSTNAME 
-Y EXTERNAL -b o=ipaca -s base
Please enter pin, password, or pass phrase for security token 
'ldap(0)':

SASL/EXTERNAL authentication started
SASL username: cn=CA Subsystem,o=EXAMPLE.COM
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base o=ipaca with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# ipaca
dn: o=ipaca
objectClass: top
objectClass: organization
o: ipaca

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Adding the old CA cert back to /etc/pki/pki-tomcat/alias does not fix 
this, although the error is different (ipa cert-show fails with internal 
error caused by XMLSyntaxError: None, pki cert-find fails with 
PKIException: Error searching certs in CertService.searchCerts!). 
Adding the external CA cert does not fix this either.


I'm pretty sure chaining change from self-signed to signed by external 
CA worked for me the last time I have tested it, but it has been some 
time. Maybe something changed in Dogtag? I don't know. Any ideas?






Note that I tried again with a fresh external install, this time without
the --external-ca flag and it basically went through the same steps but
this time it was successful.


Good.





I did a re-install and tried a renewal (with just ipa-server-install). I
moved time forward and saw this:

Request ID '20140627150913':
 status: MONITORING
 ca-error: Server at
https://sif.greyoak.com:8443/ca/agent/ca/profileProcess; replied: 1:
Invalid Credential.
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='323234924210'
 certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-ca-renew-agent
 issuer: CN=Certificate Authority,O=GREYOAK.COM
 subject: CN=CA Audit,O=GREYOAK.COM
 expires: 2016-06-16 15:08:34 UTC
 key usage: digitalSignature,nonRepudiation
 pre-save command:

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-02 Thread Rob Crittenden 
Jan Cholasta wrote:
 On 28.6.2014 00:19, Rob Crittenden wrote:

 I'm going to consolidate all reviews for 241 - 303 here. I'm not doing
 this in any particular order.

Trimming to respond to your questions.
 Not sure if this is related:
 # pki cert-find
 PKIException: Internal Server Error

I'm pretty sure the cert-find error is related to the fact that I had a
test build of dogtag installed, so that can be ignored.

 ipa-client-install still fails for me in RHEL-5 with an external CA:

 2014-06-27 14:04:31,202 DEBUG trying to retrieve CA cert via LDAP from
 ldap://sif.greyoak.com
 2014-06-27 14:04:32,312 INFO Successfully retrieved CA cert
  Subject: /O=GREYOAK.COM/CN=Certificate Authority
  Issuer:  /CN=External Authority

 2014-06-27 14:04:32,467 DEBUG args=/usr/sbin/ipa-join -s sif.greyoak.com
 -b dc=greyoak,dc=com
 2014-06-27 14:04:32,467 DEBUG stdout=
 2014-06-27 14:04:32,467 DEBUG stderr=libcurl failed to execute the HTTP
 POST transaction.  SSL certificate problem, verify that the CA cert is
 OK. Details:
 error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
 verify failed

 This is the query that is being done:

 [27/Jun/2014:14:04:31 -0400] conn=18 op=3 SRCH
 base=CN=CAcert,CN=ipa,CN=etc,dc=greyoak,dc=com scope=0
 filter=(objectClass=pkiCA) attrs=cacertificate;binary

 It returns a single object, the dogtag-issued CA certificate, not the
 entire chain, hence the failure.
 
 I doubt this ever worked, as there can be only one certificate in
 cn=CAcert. Can't do much about this, unless you want to fix it in RHEL 5.

Ok, as it is not a regression I won't let that block these patches.

 Similarly /etc/ipa/ca.crt on the master contains only the IPA CA while
 /usr/share/ipa/html/ca.crt contains the full chain.
 
 Right, will fix.
 

 This works:
 # wget -O /tmp/ca.crt http://sif.greyoak.com/ipa/config/ca.crt
 # ipa-client-install --server=sif.greyoak.com --domain=greyoak.com -p
 admin -w password -U --ca-cert-file=/tmp/ca.crt

 

 Enrollment on RHEL-6 also puts a single CA in /etc/ipa/ca.crt but
 enrollment succeeds.
 
 That's expected, it also uses cn=CAcert. Any idea why it works on RHEL 6
 but not on RHEL 5?

I'd guess it has something to do with OpenSSL vs NSS.

 Patch 303.

 Is the context as cli_installer a cut-n-paste or a conscious choice?
 
 It is indeed copy-paste. Is it wrong?

The context is completely arbitrary and rarely used. But it is used in a
few places, though IIRC mostly on the server side. It probably doesn't
matter much but being client-specific is good future-proofing.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-07-02 Thread Jan Cholasta 

On 2.7.2014 19:08, Rob Crittenden wrote:

Trimming to respond to your questions.

Not sure if this is related:
# pki cert-find
PKIException: Internal Server Error


I'm pretty sure the cert-find error is related to the fact that I had a
test build of dogtag installed, so that can be ignored.


It does not work for me as well, with the current F20 dogtag packages, 
but like I said, it worked some time ago.



Patch 303.

Is the context as cli_installer a cut-n-paste or a conscious choice?


It is indeed copy-paste. Is it wrong?


The context is completely arbitrary and rarely used. But it is used in a
few places, though IIRC mostly on the server side. It probably doesn't
matter much but being client-specific is good future-proofing.


OK, thought this was something more serious :-) I copied the context 
from ipa-client-automount, since ipa-certupdate is also client-side 
installer-like command.





rob




--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-06-30 Thread Rob Crittenden 
Rob Crittenden wrote:
 Jan Cholasta wrote:
 On 26.6.2014 20:05, Rob Crittenden wrote:
 Jan Cholasta wrote:
 On 16.6.2014 15:35, Jan Cholasta wrote:
 Hi,

 the attached patches implement
 https://fedorahosted.org/freeipa/ticket/3737.

 My patches 241-253 and 262-294 are required for this
 (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html,

 http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html).


 The installation/testing guidelines from
 http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html
 apply here as well.

 Honza

 Rebased on top of current master.

 295 ACK

 296, 297  299

 TBD, need to test but no problems seen so far.

 298

 The man page, if not usage, should include what the valid trust flags
 are or point to NSS documentation.

 OK.


 rob


 Updated rebased patches attached. Also attaching all the required patches.


A few more things after more testing.

If one renews an externally-issued CA then you can end up with multiple
certs for the IPA CA in /etc/pki/nssdb (for each issued cert). These do
not seem to be cleaned up on uninstall.

On upgrade from 3.3.5 seeing:
Unexpected error - see /var/log/ipaupgrade.log for details:
InvalidSyntax: object class ipaCertificate: Unknown required attribute
type ipaPublicKey: Invalid syntax.

/var/log/ipaupgrade ends with:

2014-06-30T15:03:11Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2014-06-30T15:08:12Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 640, in run_script
return_value = main_function()

  File /usr/sbin/ipa-upgradeconfig, line 1171, in main
ds.start(ds_serverid)

  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 297, in start
self.service.start(instance_name, capture_output=capture_output,
wait=wait)

  File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py,
line 262, in start
self.wait_for_open_ports(self.service_instance(instance_name))

  File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py,
line 228, in wait_for_open_ports
self.api.env.startup_timeout)

  File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line
1153, in wait_for_open_ports
raise socket.timeout()

2014-06-30T15:08:12Z DEBUG The ipa-upgradeconfig command failed,
exception: timeout:

Turns out it blew up so badly that it didn't restore dse.ldif when the
upgrade finished, something I thought was impossible. This is a pretty
serious problem in itself (and likely unrelated to these patches).

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-06-30 Thread Nalin Dahyabhai 
On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote:
 How it is monitoring with a ca-error I don't know.

If there's a previously-issued certificate present, the state machine
goes back to monitoring rather than the dead-end rejected state, so
that it'll try again later when certificate crosses the next enroll_ttl
threshold.

It's mainly a guess at the right thing to do in that situation (in case
the CA rejected the request for a transient reason that gets remedied at
the server at some point), so I'm not firmly wedded to it, and remain
open to changing it.

Now that I'm writing this, I'm thinking rejected requests should
probably be re-attempted, eventually, though it risks annoying the CA.

Cheers,

Nalin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-06-26 Thread Jan Cholasta 

On 16.6.2014 15:35, Jan Cholasta wrote:

Hi,

the attached patches implement
https://fedorahosted.org/freeipa/ticket/3737.

My patches 241-253 and 262-294 are required for this
(http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html,
http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html).

The installation/testing guidelines from
http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html
apply here as well.

Honza


Rebased on top of current master.

--
Jan Cholasta
From 6d234a5f8756876a980a7a0c15fca64fe0a6a975 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:44:03 +0200
Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs
 from NSS databases.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 ipaserver/install/certs.py | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 118cf77..37b102c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -211,9 +211,21 @@ class NSSDatabase(object):
 raise RuntimeError(
 Setting trust on %s failed % root_nickname)
 
+def get_cert(self, nickname, pem=False):
+args = ['-L', '-n', nickname]
+if pem:
+args.append('-a')
+else:
+args.append('-r')
+try:
+cert, err, returncode = self.run_certutil(args)
+except ipautil.CalledProcessError:
+raise RuntimeError(Failed to get %s % nickname)
+return cert
+
 def export_pem_cert(self, nickname, location):
 Export the given cert to PEM file in the given location
-cert, err, returncode = self.run_certutil([-L, -n, nickname, -a])
+cert = self.get_cert(nickname)
 with open(location, w+) as fd:
 fd.write(cert)
 os.chmod(location, 0444)
-- 
1.9.0

From f4b9c00871caab73201d12f24a3b158c03742eba Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:45:29 +0200
Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in
 ipa-cacert-manage.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 install/tools/man/ipa-cacert-manage.1  |  6 +
 ipaserver/install/ipa_cacert_manage.py | 41 +++---
 2 files changed, 39 insertions(+), 8 deletions(-)

diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 92fe717..cf42b24 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available.
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 The Directory Manager password to use for authentication.
 .TP
+\fB\-\-self\-signed\fR
+Sign the renewed certificate by itself.
+.TP
+\fB\-\-external\-ca\fR
+Sign the renewed certificate by external CA.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file.
 .TP
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index f6f3a8b..a0aa355 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -28,7 +28,7 @@ import krbV
 from ipapython import admintool, certmonger, ipautil
 from ipapython.dn import DN
 from ipaplatform.paths import paths
-from ipalib import api, errors, x509, util
+from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
 
@@ -52,6 +52,14 @@ class CACertManage(admintool.AdminTool):
 
 renew_group = OptionGroup(parser, Renew options)
 renew_group.add_option(
+--self-signed, dest='self_signed',
+action='store_true',
+help=Sign the renewed certificate by itself)
+renew_group.add_option(
+--external-ca, dest='self_signed',
+action='store_false',
+help=Sign the renewed certificate by external CA)
+renew_group.add_option(
 --external-cert-file, dest='external_cert_file',
 help=PEM file containing a certificate signed by the external CA)
 renew_group.add_option(
@@ -146,7 +154,12 @@ class CACertManage(admintool.AdminTool):
 if options.external_cert_file:
 return self.renew_external_step_2(ca, cert)
 
-if x509.is_self_signed(cert, x509.DER):
+if options.self_signed is not None:
+self_signed = options.self_signed
+else:
+self_signed = x509.is_self_signed(cert, x509.DER)
+
+if self_signed:
 return self.renew_self_signed(ca)
 else:
 return self.renew_external_step_1(ca)
@@ -179,20 +192,19 @@ class CACertManage(admintool.AdminTool):

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-06-26 Thread Rob Crittenden 
Jan Cholasta wrote:
 On 16.6.2014 15:35, Jan Cholasta wrote:
 Hi,

 the attached patches implement
 https://fedorahosted.org/freeipa/ticket/3737.

 My patches 241-253 and 262-294 are required for this
 (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html,
 http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html).

 The installation/testing guidelines from
 http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html
 apply here as well.

 Honza
 
 Rebased on top of current master.

295 ACK

296, 297  299

TBD, need to test but no problems seen so far.

298

The man page, if not usage, should include what the valid trust flags
are or point to NSS documentation.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

2014-06-16 Thread Jan Cholasta 

Hi,

the attached patches implement 
https://fedorahosted.org/freeipa/ticket/3737.


My patches 241-253 and 262-294 are required for this 
(http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, 
http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html).


The installation/testing guidelines from 
http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html 
apply here as well.


Honza

--
Jan Cholasta
From 73b54fdd44a7f59f40b0e34dd565020deea74f00 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:44:03 +0200
Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs
 from NSS databases.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 ipaserver/install/certs.py | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 7f3c246..127d0dd 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -210,9 +210,21 @@ class NSSDatabase(object):
 raise RuntimeError(
 Setting trust on %s failed % root_nickname)
 
+def get_cert(self, nickname, pem=False):
+args = ['-L', '-n', nickname]
+if pem:
+args.append('-a')
+else:
+args.append('-r')
+try:
+cert, err, returncode = self.run_certutil(args)
+except ipautil.CalledProcessError:
+raise RuntimeError(Failed to get %s % nickname)
+return cert
+
 def export_pem_cert(self, nickname, location):
 Export the given cert to PEM file in the given location
-cert, err, returncode = self.run_certutil([-L, -n, nickname, -a])
+cert = self.get_cert(nickname)
 with open(location, w+) as fd:
 fd.write(cert)
 os.chmod(location, 0444)
-- 
1.9.0

From b9d0562bb8a71599de699428a509692a1cc90145 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:45:29 +0200
Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in
 ipa-cacert-manage.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 install/tools/man/ipa-cacert-manage.1  |  6 +
 ipaserver/install/ipa_cacert_manage.py | 47 +-
 2 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 92fe717..cf42b24 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available.
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 The Directory Manager password to use for authentication.
 .TP
+\fB\-\-self\-signed\fR
+Sign the renewed certificate by itself.
+.TP
+\fB\-\-external\-ca\fR
+Sign the renewed certificate by external CA.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file.
 .TP
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 2b799c1..7c041de 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -27,7 +27,7 @@ import krbV
 
 from ipapython import admintool, certmonger, ipautil
 from ipapython.dn import DN
-from ipalib import api, errors, x509, util
+from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
 
@@ -51,6 +51,14 @@ class CACertManage(admintool.AdminTool):
 
 renew_group = OptionGroup(parser, Renew options)
 renew_group.add_option(
+--self-signed, dest='self_signed',
+action='store_true',
+help=Sign the renewed certificate by itself)
+renew_group.add_option(
+--external-ca, dest='self_signed',
+action='store_false',
+help=Sign the renewed certificate by external CA)
+renew_group.add_option(
 --external-cert-file, dest='external_cert_file',
 help=PEM file containing a certificate signed by the external CA)
 renew_group.add_option(
@@ -145,7 +153,12 @@ class CACertManage(admintool.AdminTool):
 if options.external_cert_file:
 return self.renew_external_step_2(ca, cert)
 
-if x509.is_self_signed(cert, x509.DER):
+if options.self_signed is not None:
+self_signed = options.self_signed
+else:
+self_signed = x509.is_self_signed(cert, x509.DER)
+
+if self_signed:
 return self.renew_self_signed(ca)
 else:
 return self.renew_external_step_1(ca)
@@ -178,20 +191,19 @@ class CACertManage(admintool.AdminTool):
 
 options = self.options
 cert_filename = options.external_cert_file
+ca_filename =