Re: [Freeipa-devel] certmonger proxy configuration not possible ?
what I feared... ok. I will open an enhancement ticket. Hopefully somebody can provide a preliminary patch I can apply. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Monday, August 08, 2016 11:48 AM To: Marx, Peter Cc: Rob Crittenden; 'freeipa-devel@redhat.com' Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ? On Mon, 08 Aug 2016, Marx, Peter wrote: >I am trying this but it has no effect - as if the environment is not passed to >the called helper scep-submit. > >In /usr/lib/systemd/certmonger.service there is already a link defined to add >stuff: >[Service] >.. >EnvironmentFile=/etc/sysconfig/certmonger > >In /etc/sysconfig/certmonger I added my proxy like this: > >[Service] >Environment="http_proxy=http://proxyuser:proxypassword@proxyserver:proxyport; > >After systemctl daemon-reload and systemctl restart certmonger my >requests still do not get to the proxy. > >Commenting out the EnvironmetFile line and adding the Environment line >directly in certmonger.service had the same result. > >Can somebody confirm that the proxy setting is visible to the called >scep-submit ? I've checked certmonger source code and while libcurl can be configured to use proxy and proxy authentication, certmonger does not configure it to do so. As result, environmental variables have no influence on the use of libcurl by certmonger. It is worth to open a ticket for certmonger to add proxy support. -- / Alexander Bokovoy automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91 InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210 IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131 Knorr-Bremse IT-Services GmbH Sitz: Muenchen Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider Registergericht Muenchen, HR B 167 268 This transmission is intended solely for the addressee and contains confidential information. If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system. Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger proxy configuration not possible ?
On Mon, 08 Aug 2016, Marx, Peter wrote: I am trying this but it has no effect - as if the environment is not passed to the called helper scep-submit. In /usr/lib/systemd/certmonger.service there is already a link defined to add stuff: [Service] .. EnvironmentFile=/etc/sysconfig/certmonger In /etc/sysconfig/certmonger I added my proxy like this: [Service] Environment="http_proxy=http://proxyuser:proxypassword@proxyserver:proxyport; After systemctl daemon-reload and systemctl restart certmonger my requests still do not get to the proxy. Commenting out the EnvironmetFile line and adding the Environment line directly in certmonger.service had the same result. Can somebody confirm that the proxy setting is visible to the called scep-submit ? I've checked certmonger source code and while libcurl can be configured to use proxy and proxy authentication, certmonger does not configure it to do so. As result, environmental variables have no influence on the use of libcurl by certmonger. It is worth to open a ticket for certmonger to add proxy support. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger proxy configuration not possible ?
I am trying this but it has no effect - as if the environment is not passed to the called helper scep-submit. In /usr/lib/systemd/certmonger.service there is already a link defined to add stuff: [Service] .. EnvironmentFile=/etc/sysconfig/certmonger In /etc/sysconfig/certmonger I added my proxy like this: [Service] Environment="http_proxy=http://proxyuser:proxypassword@proxyserver:proxyport; After systemctl daemon-reload and systemctl restart certmonger my requests still do not get to the proxy. Commenting out the EnvironmetFile line and adding the Environment line directly in certmonger.service had the same result. Can somebody confirm that the proxy setting is visible to the called scep-submit ? -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Thursday, August 04, 2016 6:02 PM To: Marx, Peter Cc: Rob Crittenden; 'freeipa-devel@redhat.com' Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ? On Thu, 04 Aug 2016, Marx, Peter wrote: >I tried it and found out it can't work this way - when issuing a CSR >with getcert, the parameters of this request are normally handed over >by getcert to the scep-submit helper. I see no way to intercept these >parameters and pass them to the proxy-shellscript. Only the -u >paramter is known beforehand, as it is configured in the ca description >file or in the proxy shellscript itself. On systemd-enabled systems certmonger runs as a service. You can affect the environment of the service by adding files ending in .conf in /etc/systemd/system/certmonger.service.d/ See systemd.service and systemd.unit man pages. > >Peter > >-Original Message- >From: Rob Crittenden [mailto:rcrit...@redhat.com] >Sent: Wednesday, August 03, 2016 3:52 PM >To: Marx, Peter; 'freeipa-devel@redhat.com' >Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ? > >Marx, Peter wrote: >> Hi, >> >> i have to access an external PKI server with SCEP protocol through >> our corporate proxy. On command line I can set the proxy and trigger >> a CSR with the scep-submit helper successfully. > >What are you setting, environment variables I assume? > >> But same operation with getcert fails, as there is no proxy >> configuration possibility in e.g. certmonger.conf. >> >> How can I work around this ? > >A quick kludge might be to replace scep-submit with a shell script that >exports the proxy config and then calls the real scep-submit. > >A perhaps better and more supportable idea would be to add a CA pointing to >this new helper, something like: > >getcert add-ca -c exampleSCEPca -e \ > "/usr/libexec/certmonger/scep-submit-proxy -u > http://ca.example.com/cgi-bin/pkiclient.exe; > >So scep-submit-proxy would setup the environment and call scep-submit. > >rob > >> >> Peter >> >> >> >> Knorr-Bremse IT-Services GmbH >> Sitz: München >> Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald >> Schneider Registergericht München, HR B 167 268 >> >> This transmission is intended solely for the addressee and contains >> confidential information. >> If you are not the intended recipient, please immediately inform the >> sender and delete the message and any attachments from your system. >> Furthermore, please do not copy the message or disclose the contents >> to anyone unless agreed otherwise. To the extent permitted by law we >> shall in no way be liable for any damages, whatever their nature, >> arising out of transmission failures, viruses, external influence, delays >> and the like. >> >> > > >automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand >G98 + E91 InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - >Stand 104 + 210 IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - >Stand A30 + D131 > >Knorr-Bremse IT-Services GmbH >Sitz: Muenchen >Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald >Schneider Registergericht Muenchen, HR B 167 268 > >This transmission is intended solely for the addressee and contains >confidential information. >If you are not the intended recipient, please immediately inform the sender >and delete the message and any attachments from your system. >Furthermore, please do not copy the message or disclose the contents to anyone >unless agreed otherwise. To the extent permitted by law we shall in no way be >liable for any damages, whatever their nature, arising out of transmission >failures, viruses, external influence, delays and the like. > >-- >Manage your subscription for the Freeipa-devel mailing list: >https://www.redhat.com/mailman/lis
Re: [Freeipa-devel] certmonger proxy configuration not possible ?
On Thu, 04 Aug 2016, Marx, Peter wrote: I tried it and found out it can't work this way - when issuing a CSR with getcert, the parameters of this request are normally handed over by getcert to the scep-submit helper. I see no way to intercept these parameters and pass them to the proxy-shellscript. Only the -u paramter is known beforehand, as it is configured in the ca description file or in the proxy shellscript itself. On systemd-enabled systems certmonger runs as a service. You can affect the environment of the service by adding files ending in .conf in /etc/systemd/system/certmonger.service.d/ See systemd.service and systemd.unit man pages. Peter -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, August 03, 2016 3:52 PM To: Marx, Peter; 'freeipa-devel@redhat.com' Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ? Marx, Peter wrote: Hi, i have to access an external PKI server with SCEP protocol through our corporate proxy. On command line I can set the proxy and trigger a CSR with the scep-submit helper successfully. What are you setting, environment variables I assume? But same operation with getcert fails, as there is no proxy configuration possibility in e.g. certmonger.conf. How can I work around this ? A quick kludge might be to replace scep-submit with a shell script that exports the proxy config and then calls the real scep-submit. A perhaps better and more supportable idea would be to add a CA pointing to this new helper, something like: getcert add-ca -c exampleSCEPca -e \ "/usr/libexec/certmonger/scep-submit-proxy -u http://ca.example.com/cgi-bin/pkiclient.exe; So scep-submit-proxy would setup the environment and call scep-submit. rob Peter Knorr-Bremse IT-Services GmbH Sitz: München Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider Registergericht München, HR B 167 268 This transmission is intended solely for the addressee and contains confidential information. If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system. Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like. automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91 InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210 IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131 Knorr-Bremse IT-Services GmbH Sitz: Muenchen Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider Registergericht Muenchen, HR B 167 268 This transmission is intended solely for the addressee and contains confidential information. If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system. Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] certmonger proxy configuration not possible ?
Marx, Peter wrote: Hi, i have to access an external PKI server with SCEP protocol through our corporate proxy. On command line I can set the proxy and trigger a CSR with the scep-submit helper successfully. What are you setting, environment variables I assume? But same operation with getcert fails, as there is no proxy configuration possibility in e.g. certmonger.conf. How can I work around this ? A quick kludge might be to replace scep-submit with a shell script that exports the proxy config and then calls the real scep-submit. A perhaps better and more supportable idea would be to add a CA pointing to this new helper, something like: getcert add-ca -c exampleSCEPca -e \ "/usr/libexec/certmonger/scep-submit-proxy -u http://ca.example.com/cgi-bin/pkiclient.exe; So scep-submit-proxy would setup the environment and call scep-submit. rob Peter Knorr-Bremse IT-Services GmbH Sitz: München Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider Registergericht München, HR B 167 268 This transmission is intended solely for the addressee and contains confidential information. If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system. Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] certmonger proxy configuration not possible ?
Hi, i have to access an external PKI server with SCEP protocol through our corporate proxy. On command line I can set the proxy and trigger a CSR with the scep-submit helper successfully. But same operation with getcert fails, as there is no proxy configuration possibility in e.g. certmonger.conf. How can I work around this ? Peter Knorr-Bremse IT-Services GmbH Sitz: Muenchen Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider Registergericht Muenchen, HR B 167 268 This transmission is intended solely for the addressee and contains confidential information. If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system. Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
