Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. Added. Updated patch attached. A slight rebase on 251 is needed for freeipa.spec.in. Oh, or maybe not since you sent the whole shebang. I just did an interdiff of the current and old 246. Yep, I remember fixing this particular merge conflict. rob -- Jan Cholasta From f906b9c8c6143e6a4b23fb7db16dc9855c7ef684 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 23 Jul 2014 13:25:22 +0200 Subject: [PATCH 55/56] Update external CA cert in Dogtag NSS DB on IPA CA cert renewal. Part of https://fedorahosted.org/freeipa/ticket/3737 --- install/restart_scripts/renew_ca_cert | 71 ++- 1 file changed, 62 insertions(+), 9 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 3814b81..2ad2038 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -121,23 +121,76 @@ def main(): else: syslog.syslog(syslog.LOG_NOTICE, Not updating CS.cfg) -# Update CA certificate in LDAP -if ca.is_renewal_master(): -try: -conn = ldap2(shared_instance=False, - ldap_uri=api.env.ldap_uri) -conn.connect(ccache=ccache) - +# Remove old external CA certificates +for ca_nick, ca_flags in db.list_certs(): +if 'u' in ca_flags: +continue +# Delete *all* certificates that use the nickname +while True: +try: +db.delete_cert(ca_nick) +except ipautil.CalledProcessError: +syslog.syslog( +syslog.LOG_ERR, +Failed to remove certificate %s % ca_nick) +break +if not db.has_nickname(ca_nick): +break + +conn = None +try: +conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) +conn.connect(ccache=ccache) +except Exception, e: +syslog.syslog( +syslog.LOG_ERR, Failed to connect to LDAP: %s % e) +else: +# Update CA certificate in LDAP +if ca.is_renewal_master(): try: certstore.update_ca_cert(conn, api.env.basedn, cert) except errors.EmptyModlist: pass +except Exception, e: +syslog.syslog( +syslog.LOG_ERR, +Updating CA certificate failed: %s % e) -conn.disconnect() +# Add external CA certificates +ca_issuer = str(x509.get_issuer(cert, x509.DER)) +try: +ca_certs = certstore.get_ca_certs( +conn, api.env.basedn, api.env.realm, False, +filter_subject=ca_issuer) except Exception, e: syslog.syslog( syslog.LOG_ERR, -Updating CA certificate failed: %s % e) +
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. Added. Updated patch attached. A slight rebase on 251 is needed for freeipa.spec.in. Oh, or maybe not since you sent the whole shebang. I just did an interdiff of the current and old 246. Yep, I remember fixing this particular merge conflict. ACK rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Dne 30.7.2014 v 14:47 Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. Added. Updated patch attached. A slight rebase on 251 is needed for freeipa.spec.in. Oh, or maybe not since you sent the whole shebang. I just did an interdiff of the current and old 246. Yep, I remember fixing this particular merge conflict. ACK rob Thank you for the review. (please push in this order: 241-253, 262-294, 303-305, 295-299, 306-307) -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 07/30/2014 02:51 PM, Jan Cholasta wrote: Dne 30.7.2014 v 14:47 Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. Added. Updated patch attached. A slight rebase on 251 is needed for freeipa.spec.in. Oh, or maybe not since you sent the whole shebang. I just did an interdiff of the current and old 246. Yep, I remember fixing this particular merge conflict. ACK rob Thank you for the review. (please push in this order: 241-253, 262-294, 303-305, 295-299, 306-307) Pushed to: master: 044c5c833a83a541f97785279acfe8e113035b3d ipa-4-1: 044c5c833a83a541f97785279acfe8e113035b3d -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. A slight rebase on 251 is needed for freeipa.spec.in. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden wrote: Jan Cholasta wrote: Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): This is oh-so close. AFAICT it generally does what it should, I think it is ready for a wider audience. Just a few more things: 306: A while True loop is used for something which AFAICT can only ever execute once. I'd think something like this is more readable: for ca_nick, ca_flags in db.list_certs(): if db.has_nickname(ca_cert): try: db.delete_cert(ca_nick) except ipautil.CalledProcessError: syslog.syslog( syslog.LOG_ERR, Failed to remove certificate %s % ca_nick) Actually the while loop is necessary, because certutil -D (and in turn CertDB.delete_cert) deletes just a single cert with the nickname, but there may be more versions of it and we need to delete them all. Aha, excellent point. This would be a great comment in the code! +1 on the additional syslogs. It will help figure out what's going on if things go sideways. Otherwise things seem to be working. I think that fixing the above is enough for a +57 with the promise of unit tests to back up some of these new functions. I'm working on that. rob rob I have made a slight adjustment to patch 246 because of https://fedorahosted.org/freeipa/ticket/4039, see http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html. Updated rebased patches attached. (once again, the correct order to apply them is 241-253, 262-294, 303-305, 295-299, 306-307) ACK on 246. IMHO this is ready to be pushed if you can add the comment on 306. A slight rebase on 251 is needed for freeipa.spec.in. Oh, or maybe not since you sent the whole shebang. I just did an interdiff of the current and old 246. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 22.7.2014 15:21, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 2.7.2014 19:37, Jan Cholasta wrote: On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Still haven't figured this out, unfortunately. Fixed. Part of the problem was that the validation code I used on CA certificates was too tolerant (fixed in patches 249 and 251). Another part was the NSS validation code that Dogtag uses requires the issuing CA to be present in the NSS database (fixed in patch 306). Finally, Dogtag uses default NSS certificate path validation, which means you have to either keep all versions of the CA certificate in the NSS database, or enable PKIX path validation in NSS. Certmonger does not like having multiple versions of a certificate it is tracking in the database, so I have gone the PKIX route (patch 307). Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA certificates on master. Updated rebased patches attached. The correct order to apply is 295-294, 303-305, 295-299. 251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? Oops, I forgot to mention that, I guess I shouldn't post patches at such late hour :) Sorry. ipaCACertRenewal should be used only for automatic renewal, not for manual. It calls caCACert and ipaRetrieval internally, but there are some conditions, which don't apply to manual renewal. It's a change I forgot to make before, so I made it now when I noticed it. ipaRetrieval fetches the certificate from cn=ca_renewal, i.e. what dogtag-ipa-retrieve-agent-submit used to do. ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. Yes. It is a poor man's solution, but it would take time to make something better. (I can deal with nickname conflicts rather easy by renaming the certificates, but handling subject conflict would require removing the old certificate from the certificate store, which is not yet supported.) Fixed missing exit. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. I switched to overwriting the file instead. It is created/written a few lines above, so if it shall fail, it will fail there. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1046, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 489, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. I haven't gotten much further than this. I spent some time trying to find the a change that would cause it and came up empty. Once this bug shows, it always shows, but it can go away at times too which is just blowing my little mind. For example, I tried rolling the patches back one at a time (revert, build, install, repeat). It failed even back to the point where I knew things should be working. I installed
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden wrote: Jan Cholasta wrote: On 2.7.2014 19:37, Jan Cholasta wrote: On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Still haven't figured this out, unfortunately. Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA certificates on master. Updated rebased patches attached. The correct order to apply is 295-294, 303-305, 295-299. 251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1046, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 489, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. I haven't gotten much further than this. I spent some time trying to find the a change that would cause it and came up empty. Once this bug shows, it always shows, but it can go away at times too which is just blowing my little mind. For example, I tried rolling the patches back one at a time (revert, build, install, repeat). It failed even back to the point where I knew things should be working. I installed 3.3.5, then tried the current build, which had failed before, and it worked. So there is some odd transient thing going on that I can't wrap my head around. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 2.7.2014 19:37, Jan Cholasta wrote: On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Still haven't figured this out, unfortunately. Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA certificates on master. Updated rebased patches attached. The correct order to apply is 295-294, 303-305, 295-299. 251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1046, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 489, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 28.6.2014 00:19, Rob Crittenden wrote: I'm going to consolidate all reviews for 241 - 303 here. I'm not doing this in any particular order. OK, I will send further patches only in this thread. Missing man page for ipa-certupdate I did not want to delay the patch, so I have sent it without man page. Will fix. Not a very nice error from ipa-cacert-manage install when loading a bad cert: # ipa-cacert-manage install /etc/group Installing CA certificate, please wait (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. Right. Fixed. The ipa-cacert-manage makes no mention of changing the cert chaining. It just adds the options, not what they do. Here is what happened when I tried it: # ipa-cacert-manage renew --external-ca Exporting CA certificate signing request, please wait The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as: ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-ca-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful [ go off and sign it ] # ipa-cacert-manage renew --external-cert-file=/home/rcrit/ca_db/ipa.crt --external-ca-file=/home/rcrit/ca_db/ca.crt Importing the renewed CA certificate, please wait Resubmitting certmonger request '20140627134654' timed out, please check the request manually The request was actually in MONITORING, so ok. But the CA is now not working # ipa cert-request --principal test/`hostname` csr ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) The CA database doesn't have my external CA # certutil -Ld /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Not sure if this is related: # pki cert-find PKIException: Internal Server Error The problem is not in the missing external CA cert (the CA always worked fine without it for me, so I never bothered adding it). The problem is that Dogtag can't connect to DS, because it does not like its server certificate. Which is weird, because when I try doing the same using ldapsearch everything seems to work fine: # LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H ldaps://$HOSTNAME -Y EXTERNAL -b o=ipaca -s base Please enter pin, password, or pass phrase for security token 'ldap(0)': SASL/EXTERNAL authentication started SASL username: cn=CA Subsystem,o=EXAMPLE.COM SASL SSF: 0 # extended LDIF # # LDAPv3 # base o=ipaca with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ipaca dn: o=ipaca objectClass: top objectClass: organization o: ipaca # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Adding the old CA cert back to /etc/pki/pki-tomcat/alias does not fix this, although the error is different (ipa cert-show fails with internal error caused by XMLSyntaxError: None, pki cert-find fails with PKIException: Error searching certs in CertService.searchCerts!). Adding the external CA cert does not fix this either. I'm pretty sure chaining change from self-signed to signed by external CA worked for me the last time I have tested it, but it has been some time. Maybe something changed in Dogtag? I don't know. Any ideas? Note that I tried again with a fresh external install, this time without the --external-ca flag and it basically went through the same steps but this time it was successful. Good. I did a re-install and tried a renewal (with just ipa-server-install). I moved time forward and saw this: Request ID '20140627150913': status: MONITORING ca-error: Server at https://sif.greyoak.com:8443/ca/agent/ca/profileProcess; replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='323234924210' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=GREYOAK.COM subject: CN=CA Audit,O=GREYOAK.COM expires: 2016-06-16 15:08:34 UTC key usage: digitalSignature,nonRepudiation pre-save command:
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 28.6.2014 00:19, Rob Crittenden wrote: I'm going to consolidate all reviews for 241 - 303 here. I'm not doing this in any particular order. Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. ipa-client-install still fails for me in RHEL-5 with an external CA: 2014-06-27 14:04:31,202 DEBUG trying to retrieve CA cert via LDAP from ldap://sif.greyoak.com 2014-06-27 14:04:32,312 INFO Successfully retrieved CA cert Subject: /O=GREYOAK.COM/CN=Certificate Authority Issuer: /CN=External Authority 2014-06-27 14:04:32,467 DEBUG args=/usr/sbin/ipa-join -s sif.greyoak.com -b dc=greyoak,dc=com 2014-06-27 14:04:32,467 DEBUG stdout= 2014-06-27 14:04:32,467 DEBUG stderr=libcurl failed to execute the HTTP POST transaction. SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This is the query that is being done: [27/Jun/2014:14:04:31 -0400] conn=18 op=3 SRCH base=CN=CAcert,CN=ipa,CN=etc,dc=greyoak,dc=com scope=0 filter=(objectClass=pkiCA) attrs=cacertificate;binary It returns a single object, the dogtag-issued CA certificate, not the entire chain, hence the failure. I doubt this ever worked, as there can be only one certificate in cn=CAcert. Can't do much about this, unless you want to fix it in RHEL 5. Ok, as it is not a regression I won't let that block these patches. Similarly /etc/ipa/ca.crt on the master contains only the IPA CA while /usr/share/ipa/html/ca.crt contains the full chain. Right, will fix. This works: # wget -O /tmp/ca.crt http://sif.greyoak.com/ipa/config/ca.crt # ipa-client-install --server=sif.greyoak.com --domain=greyoak.com -p admin -w password -U --ca-cert-file=/tmp/ca.crt Enrollment on RHEL-6 also puts a single CA in /etc/ipa/ca.crt but enrollment succeeds. That's expected, it also uses cn=CAcert. Any idea why it works on RHEL 6 but not on RHEL 5? I'd guess it has something to do with OpenSSL vs NSS. Patch 303. Is the context as cli_installer a cut-n-paste or a conscious choice? It is indeed copy-paste. Is it wrong? The context is completely arbitrary and rarely used. But it is used in a few places, though IIRC mostly on the server side. It probably doesn't matter much but being client-specific is good future-proofing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Patch 303. Is the context as cli_installer a cut-n-paste or a conscious choice? It is indeed copy-paste. Is it wrong? The context is completely arbitrary and rarely used. But it is used in a few places, though IIRC mostly on the server side. It probably doesn't matter much but being client-specific is good future-proofing. OK, thought this was something more serious :-) I copied the context from ipa-client-automount, since ipa-certupdate is also client-side installer-like command. rob -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden wrote: Jan Cholasta wrote: On 26.6.2014 20:05, Rob Crittenden wrote: Jan Cholasta wrote: On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. 295 ACK 296, 297 299 TBD, need to test but no problems seen so far. 298 The man page, if not usage, should include what the valid trust flags are or point to NSS documentation. OK. rob Updated rebased patches attached. Also attaching all the required patches. A few more things after more testing. If one renews an externally-issued CA then you can end up with multiple certs for the IPA CA in /etc/pki/nssdb (for each issued cert). These do not seem to be cleaned up on uninstall. On upgrade from 3.3.5 seeing: Unexpected error - see /var/log/ipaupgrade.log for details: InvalidSyntax: object class ipaCertificate: Unknown required attribute type ipaPublicKey: Invalid syntax. /var/log/ipaupgrade ends with: 2014-06-30T15:03:11Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2014-06-30T15:08:12Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 1171, in main ds.start(ds_serverid) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 297, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py, line 262, in start self.wait_for_open_ports(self.service_instance(instance_name)) File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py, line 228, in wait_for_open_ports self.api.env.startup_timeout) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 1153, in wait_for_open_ports raise socket.timeout() 2014-06-30T15:08:12Z DEBUG The ipa-upgradeconfig command failed, exception: timeout: Turns out it blew up so badly that it didn't restore dse.ldif when the upgrade finished, something I thought was impossible. This is a pretty serious problem in itself (and likely unrelated to these patches). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote: How it is monitoring with a ca-error I don't know. If there's a previously-issued certificate present, the state machine goes back to monitoring rather than the dead-end rejected state, so that it'll try again later when certificate crosses the next enroll_ttl threshold. It's mainly a guess at the right thing to do in that situation (in case the CA rejected the request for a transient reason that gets remedied at the server at some point), so I'm not firmly wedded to it, and remain open to changing it. Now that I'm writing this, I'm thinking rejected requests should probably be re-attempted, eventually, though it risks annoying the CA. Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. -- Jan Cholasta From 6d234a5f8756876a980a7a0c15fca64fe0a6a975 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:44:03 +0200 Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs from NSS databases. Part of https://fedorahosted.org/freeipa/ticket/3737 --- ipaserver/install/certs.py | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 118cf77..37b102c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -211,9 +211,21 @@ class NSSDatabase(object): raise RuntimeError( Setting trust on %s failed % root_nickname) +def get_cert(self, nickname, pem=False): +args = ['-L', '-n', nickname] +if pem: +args.append('-a') +else: +args.append('-r') +try: +cert, err, returncode = self.run_certutil(args) +except ipautil.CalledProcessError: +raise RuntimeError(Failed to get %s % nickname) +return cert + def export_pem_cert(self, nickname, location): Export the given cert to PEM file in the given location -cert, err, returncode = self.run_certutil([-L, -n, nickname, -a]) +cert = self.get_cert(nickname) with open(location, w+) as fd: fd.write(cert) os.chmod(location, 0444) -- 1.9.0 From f4b9c00871caab73201d12f24a3b158c03742eba Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:45:29 +0200 Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 --- install/tools/man/ipa-cacert-manage.1 | 6 + ipaserver/install/ipa_cacert_manage.py | 41 +++--- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 92fe717..cf42b24 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available. \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR The Directory Manager password to use for authentication. .TP +\fB\-\-self\-signed\fR +Sign the renewed certificate by itself. +.TP +\fB\-\-external\-ca\fR +Sign the renewed certificate by external CA. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file. .TP diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index f6f3a8b..a0aa355 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -28,7 +28,7 @@ import krbV from ipapython import admintool, certmonger, ipautil from ipapython.dn import DN from ipaplatform.paths import paths -from ipalib import api, errors, x509, util +from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -52,6 +52,14 @@ class CACertManage(admintool.AdminTool): renew_group = OptionGroup(parser, Renew options) renew_group.add_option( +--self-signed, dest='self_signed', +action='store_true', +help=Sign the renewed certificate by itself) +renew_group.add_option( +--external-ca, dest='self_signed', +action='store_false', +help=Sign the renewed certificate by external CA) +renew_group.add_option( --external-cert-file, dest='external_cert_file', help=PEM file containing a certificate signed by the external CA) renew_group.add_option( @@ -146,7 +154,12 @@ class CACertManage(admintool.AdminTool): if options.external_cert_file: return self.renew_external_step_2(ca, cert) -if x509.is_self_signed(cert, x509.DER): +if options.self_signed is not None: +self_signed = options.self_signed +else: +self_signed = x509.is_self_signed(cert, x509.DER) + +if self_signed: return self.renew_self_signed(ca) else: return self.renew_external_step_1(ca) @@ -179,20 +192,19 @@ class CACertManage(admintool.AdminTool):
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. 295 ACK 296, 297 299 TBD, need to test but no problems seen so far. 298 The man page, if not usage, should include what the valid trust flags are or point to NSS documentation. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza -- Jan Cholasta From 73b54fdd44a7f59f40b0e34dd565020deea74f00 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:44:03 +0200 Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs from NSS databases. Part of https://fedorahosted.org/freeipa/ticket/3737 --- ipaserver/install/certs.py | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7f3c246..127d0dd 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -210,9 +210,21 @@ class NSSDatabase(object): raise RuntimeError( Setting trust on %s failed % root_nickname) +def get_cert(self, nickname, pem=False): +args = ['-L', '-n', nickname] +if pem: +args.append('-a') +else: +args.append('-r') +try: +cert, err, returncode = self.run_certutil(args) +except ipautil.CalledProcessError: +raise RuntimeError(Failed to get %s % nickname) +return cert + def export_pem_cert(self, nickname, location): Export the given cert to PEM file in the given location -cert, err, returncode = self.run_certutil([-L, -n, nickname, -a]) +cert = self.get_cert(nickname) with open(location, w+) as fd: fd.write(cert) os.chmod(location, 0444) -- 1.9.0 From b9d0562bb8a71599de699428a509692a1cc90145 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:45:29 +0200 Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 --- install/tools/man/ipa-cacert-manage.1 | 6 + ipaserver/install/ipa_cacert_manage.py | 47 +- 2 files changed, 41 insertions(+), 12 deletions(-) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 92fe717..cf42b24 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available. \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR The Directory Manager password to use for authentication. .TP +\fB\-\-self\-signed\fR +Sign the renewed certificate by itself. +.TP +\fB\-\-external\-ca\fR +Sign the renewed certificate by external CA. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file. .TP diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 2b799c1..7c041de 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -27,7 +27,7 @@ import krbV from ipapython import admintool, certmonger, ipautil from ipapython.dn import DN -from ipalib import api, errors, x509, util +from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -51,6 +51,14 @@ class CACertManage(admintool.AdminTool): renew_group = OptionGroup(parser, Renew options) renew_group.add_option( +--self-signed, dest='self_signed', +action='store_true', +help=Sign the renewed certificate by itself) +renew_group.add_option( +--external-ca, dest='self_signed', +action='store_false', +help=Sign the renewed certificate by external CA) +renew_group.add_option( --external-cert-file, dest='external_cert_file', help=PEM file containing a certificate signed by the external CA) renew_group.add_option( @@ -145,7 +153,12 @@ class CACertManage(admintool.AdminTool): if options.external_cert_file: return self.renew_external_step_2(ca, cert) -if x509.is_self_signed(cert, x509.DER): +if options.self_signed is not None: +self_signed = options.self_signed +else: +self_signed = x509.is_self_signed(cert, x509.DER) + +if self_signed: return self.renew_self_signed(ca) else: return self.renew_external_step_1(ca) @@ -178,20 +191,19 @@ class CACertManage(admintool.AdminTool): options = self.options cert_filename = options.external_cert_file +ca_filename =