Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/03/2014 09:23 PM, Rob Crittenden wrote: No longer request and install a cert for the IPA client machine. https://fedorahosted.org/freeipa/ticket/4449 ACK Pushed to: master: c1bf5203937827369c7ce023d03c75d2da6d83ee ipa-4-1: 058c1f453c4e2df38eec57ba605cd5dc492eb978 ipa-4-0: 2dd2fd7e1aa470ea8fa3fd09ebecacec7ee8bc77 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 05 Sep 2014, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. Well, that is unrelated to this change. Should that be a separate ticket? A separate ticket is fine too. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Martin Kosek wrote: > On 09/05/2014 03:15 PM, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: > Jan Cholasta wrote: >> Hi, >> >> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >>> No longer request and install a cert for the IPA client machine. >>> >>> rob >> >> The original plan was to keep generating the certificate, but in >> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). >> >> I'm fine with either approach. >> > > The cert has never been used and is now actively causing issues in > RHEL-7 with systemd and kickstart. It could be made optional, and move > the location, but IMHO its time has come. > > rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? >>> I'm fine with making it optional. However, on client machine upgrades do >>> not stop and disable certmonger if it is tracking more than just the >>> host certificate. >>> >> >> Well, that is unrelated to this change. Should that be a separate ticket? >> >> rob >> > > I see it as very related. If we choose to do this optionally, instead of > removing the code, we would do it conditionally (with different NSS database). I'd prefer to remove it altogether and potentially add it back conditionally if anyone notices. > But so far, it seems we choose only really simply just remove the code, i.e. > no > ticket needed. Alexander is pointing out that we disable certmonger at the end of ipa-client-install and this is not good if certmonger is tracking anything else (IPA or otherwise). This is a good point but not related to whether we issue and track a cert ourselves. In fact, to expand on his concerns, it is probably wise to do something similar to what we do in ipa-server-install during uninstall where we list the still-tracked certs for further investigation. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/05/2014 03:15 PM, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Fri, 05 Sep 2014, Martin Kosek wrote: >>> On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: > Hi, > > Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >> No longer request and install a cert for the IPA client machine. >> >> rob > > The original plan was to keep generating the certificate, but in > /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). > > I'm fine with either approach. > The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob >>> >>> One change that Rob's patch also do is that from now on, certmonger >>> would not >>> be enabled and running by default on client machines. It would only be >>> enabled >>> on IPA server. >>> >>> I am still not confident about the resolution to just stop generating the >>> certificate, I was leaning more towards making it optional + >>> generating to >>> better database as Honza proposed. >>> >>> Simo, Alexander, what is your take on this? >> I'm fine with making it optional. However, on client machine upgrades do >> not stop and disable certmonger if it is tracking more than just the >> host certificate. >> > > Well, that is unrelated to this change. Should that be a separate ticket? > > rob > I see it as very related. If we choose to do this optionally, instead of removing the code, we would do it conditionally (with different NSS database). But so far, it seems we choose only really simply just remove the code, i.e. no ticket needed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Alexander Bokovoy wrote: > On Fri, 05 Sep 2014, Martin Kosek wrote: >> On 09/04/2014 05:13 PM, Rob Crittenden wrote: >>> Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): > No longer request and install a cert for the IPA client machine. > > rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. >>> >>> The cert has never been used and is now actively causing issues in >>> RHEL-7 with systemd and kickstart. It could be made optional, and move >>> the location, but IMHO its time has come. >>> >>> rob >> >> One change that Rob's patch also do is that from now on, certmonger >> would not >> be enabled and running by default on client machines. It would only be >> enabled >> on IPA server. >> >> I am still not confident about the resolution to just stop generating the >> certificate, I was leaning more towards making it optional + >> generating to >> better database as Honza proposed. >> >> Simo, Alexander, what is your take on this? > I'm fine with making it optional. However, on client machine upgrades do > not stop and disable certmonger if it is tracking more than just the > host certificate. > Well, that is unrelated to this change. Should that be a separate ticket? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 2014-09-05 at 10:43 +0200, Martin Kosek wrote: > On 09/04/2014 05:13 PM, Rob Crittenden wrote: > > Jan Cholasta wrote: > >> Hi, > >> > >> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): > >>> No longer request and install a cert for the IPA client machine. > >>> > >>> rob > >> > >> The original plan was to keep generating the certificate, but in > >> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). > >> > >> I'm fine with either approach. > >> > > > > The cert has never been used and is now actively causing issues in > > RHEL-7 with systemd and kickstart. It could be made optional, and move > > the location, but IMHO its time has come. > > > > rob > > One change that Rob's patch also do is that from now on, certmonger would not > be enabled and running by default on client machines. It would only be enabled > on IPA server. > > I am still not confident about the resolution to just stop generating the > certificate, I was leaning more towards making it optional + generating to > better database as Honza proposed. > > Simo, Alexander, what is your take on this? I'm with Rob, do not eanble and fetch certs we are not going to sue, this will also make the list of certs in the server more relevant. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/04/2014 05:13 PM, Rob Crittenden wrote: > Jan Cholasta wrote: >> Hi, >> >> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >>> No longer request and install a cert for the IPA client machine. >>> >>> rob >> >> The original plan was to keep generating the certificate, but in >> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). >> >> I'm fine with either approach. >> > > The cert has never been used and is now actively causing issues in > RHEL-7 with systemd and kickstart. It could be made optional, and move > the location, but IMHO its time has come. > > rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Jan Cholasta wrote: > Hi, > > Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >> No longer request and install a cert for the IPA client machine. >> >> rob > > The original plan was to keep generating the certificate, but in > /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). > > I'm fine with either approach. > The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. -- Jan Cholasta >From 4698fca8d4c749f599f67ee3175a23474dacf953 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 4 Sep 2014 14:24:47 +0200 Subject: [PATCH] Do not use /etc/pki/nssdb for IPA host certificate in ipa-client-install Put the certificate in /etc/ipa/nssdb instead and shorten its nickname. https://fedorahosted.org/freeipa/ticket/4449 --- freeipa.spec.in | 6 +++ ipa-client/ipa-install/ipa-client-install | 69 --- ipaplatform/base/paths.py | 1 + 3 files changed, 61 insertions(+), 15 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5b9fa8e..2d9b7b3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -413,6 +413,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup mkdir -p %{buildroot}%{_sysconfdir}/ipa/ /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt +install -d -m 755 %{buildroot}%{_sysconfdir}/ipa/nssdb mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore %if ! %{ONLY_CLIENT} @@ -782,6 +783,11 @@ fi %dir %attr(0755,root,root) %{_sysconfdir}/ipa/ %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt %if ! %{ONLY_CLIENT} %files tests -f tests-python.list diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 617db26..82ca904 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -73,7 +73,7 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS -client_nss_nickname_format = 'IPA Machine Certificate - %s' +client_nss_nickname = 'This host' def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): @@ -225,8 +225,10 @@ def logging_setup(options): def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) -def nickname_exists(nickname): -(sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False) +def nickname_exists(nickname, db_dir=paths.NSS_DB_DIR): +(sout, serr, returncode) = run([paths.CERTUTIL, "-L", +"-d", db_dir, +"-n", nickname], raiseonerr=False) if returncode == 0: return True @@ -480,8 +482,6 @@ def uninstall(options, env): if hostname is None: hostname = socket.getfqdn() -client_nss_nickname = client_nss_nickname_format % hostname - # Remove our host cert and CA cert if nickname_exists("IPA CA"): try: @@ -505,17 +505,38 @@ def uninstall(options, env): log_service_error(cmonger.service_name, 'start', e) try: -certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) +certmonger.stop_tracking(paths.IPA_NSSDB_DIR, + nickname=client_nss_nickname) except (CalledProcessError, RuntimeError), e: root_logger.error("%s failed to stop tracking certificate: %s", -cmonger.service_name, str(e)) + cmonger.service_name, e) -if nickname_exists(client_nss_nickname): +if nickname_exists(client_nss_nickname, paths.IPA_NSSDB_DIR): try: -run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", client_nss_nickname]) +ipautil.run([paths.CERTUTIL, '-D', + '-d', paths.IPA_NSSDB_DIR, + '-n', client_nss_nickname]) except Exception, e: -root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s", -client_nss_nickname, str(e)) +root_logger.error("Failed to remove %s from %s: %s", + client_nss_nickname, paths.IPA_NSSDB_DIR, e) + +legacy_client_nss_nickname = 'IPA Machine Certificate - %s' % hostname + +try: +certmonger.stop_tracking(paths.NSS_DB_DIR, + nickname=legacy_client_nss_nickname) +except (CalledProcessError, RuntimeError), e: +root_logger.error("%s failed to stop tracking cert