On 03/18/2013 12:58 PM, Petr Viktorin wrote:
Hello,
While the work is not complete, these patches allowed me to install an
IPA server without a CA, using PKCS#12 files for the server certs.
The patches don't break normal installation.
The --selfsign option (but not yet the code behind it) is removed.
The absence of a CA is indicated by `enable_ra=False` in the IPA config.
ipa-replica-install will still refuse to run; I'll look into that next.
I removed some unused code that got in my way: Dogtag 9 installation (we
can run a Dogtag 9-style CA, but we never *install* it), and
ipapython.certdb.CertDB (unused, not to be confused with ipaserver's
CertDB).
Hello,
This improves a developer testing tool. Details inside.
Submitting separately so any problems don't hold back the big batch of
CA-less patches.
--
PetrĀ³
From 75b1c9e84fdf119a9ef07f851b76f0208185d51a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 2 Apr 2013 12:30:50 +0200
Subject: [PATCH] make-testcert: Add better messages for errors with CA-less
servers
This adds better diagnostics/instructions for two cases of user error:
* The enable_ra setting in ~/.ipa/default.conf doesn't what is on the server.
If server is CA-less but enable_ra=True, cert-request won't be available;
print out instructions to correct this
If server has a CA but enable_ra=False, make-testcert behaves as CA-less, see below
* In CA-less mode, the cert doesn't already exist.
Remind that enable_ra must be set properly (for the above case)
Instruct user to issue a cert and put it in place
---
make-testcert | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/make-testcert b/make-testcert
index a5814e1de9428e74a6343f5f13193748e3e04df6..e61089b3176d52e4888c48fb19d75fda8ea804af 100755
--- a/make-testcert
+++ b/make-testcert
@@ -84,6 +84,12 @@ def makecert(reqdir):
api.register(client)
api.finalize()
+ if not api.env.enable_ra:
+ print "IPA CA is not installed, no cert found"
+ print "Ensure enable_ra in ~/.ipa/default.conf matches the server."
+ print "Issue a test cert manually and put it in %s" % CERTPATH
+ return 1
+
ra = rabase.rabase()
if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:8888/ipa/xml':
sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py')
@@ -116,7 +122,8 @@ def makecert(reqdir):
except errors.NotFound:
return "certificate request failed"
except errors.CommandError:
- return "You need to set enable_ra=True in ~/.ipa/default.conf"
+ return ('cert_request command not found. If the IPA CA is not '
+ 'installed, set enable_ra=False in ~/.ipa/default.conf')
nss.nss_init_nodb()
c = x509.load_certificate(cert, x509.PEM)
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel