Re: [Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs
On 29.3.2013 11:14, Jan Cholasta wrote: On 28.3.2013 18:14, Petr Viktorin wrote: And another update. Patch 204: Fix default ID range in ipa-server-install New patch 206: The host plugin assumed cert-* commands are always available, and failed when removing/upddating a host because it could not revoke the certificate. This leaves out the revocation if there's no CA. The tests should pass now. The Web UI currently assumes cert-* commands are always available. I'm testing a patch from Petr¹ that will fix this. Also, clients currently call cert-request via certmonger. This fails. A patch to not request the host certificate in ipa-client-install is coming up. As far as I know, the failing request doesn't hurt anything; old clients should work fine, certmonger will just spam the syslog. I'll add steps to remove the request on old clients to the design doc. Patch 204: All the validation check in ipa-server-install should also be done in ipa-replica-prepare. It is possible to prepare a replica with invalid certificates, which makes ipa-replica-install fail in the middle of the install process. Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified in the certificates' CRL distribution point is not automatically imported into any of the NSS databases and when it is imported manually, everything still seems to work fine. I haven't checked OCSP. Can and/or do we want to do something about this? Update: the ipa command does not work: $ ipa host-show $HOSTNAME --all --raw ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example" ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.) ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked. Patch 205: Can we instead require the PKCS#12 files to always contain the whole certificate chain? IMO that way it would be more obvious what should actually be in the files and it would make things easier should there ever be need for --root-ca-subject. Patch 206: In host_del and host_disable, this doesn't have to be done when enable_ra is False: try: (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) In host_disable, I think this should be done even when enable_ra is False: # Remove the usercertificate altogether ldap.update_entry(dn, {'usercertificate': None}) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs
On 28.3.2013 18:14, Petr Viktorin wrote: And another update. Patch 204: Fix default ID range in ipa-server-install New patch 206: The host plugin assumed cert-* commands are always available, and failed when removing/upddating a host because it could not revoke the certificate. This leaves out the revocation if there's no CA. The tests should pass now. The Web UI currently assumes cert-* commands are always available. I'm testing a patch from Petr¹ that will fix this. Also, clients currently call cert-request via certmonger. This fails. A patch to not request the host certificate in ipa-client-install is coming up. As far as I know, the failing request doesn't hurt anything; old clients should work fine, certmonger will just spam the syslog. I'll add steps to remove the request on old clients to the design doc. Patch 204: All the validation check in ipa-server-install should also be done in ipa-replica-prepare. It is possible to prepare a replica with invalid certificates, which makes ipa-replica-install fail in the middle of the install process. Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified in the certificates' CRL distribution point is not automatically imported into any of the NSS databases and when it is imported manually, everything still seems to work fine. I haven't checked OCSP. Can and/or do we want to do something about this? Patch 205: Can we instead require the PKCS#12 files to always contain the whole certificate chain? IMO that way it would be more obvious what should actually be in the files and it would make things easier should there ever be need for --root-ca-subject. Patch 206: In host_del and host_disable, this doesn't have to be done when enable_ra is False: try: (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) In host_disable, I think this should be done even when enable_ra is False: # Remove the usercertificate altogether ldap.update_entry(dn, {'usercertificate': None}) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs
On 03/28/2013 12:20 PM, Petr Viktorin wrote: On 03/26/2013 04:48 PM, Petr Viktorin wrote: [...] This update adds a check for validity of the server cert's hostname, using python-nss. And another update. Patch 204: Fix default ID range in ipa-server-install New patch 206: The host plugin assumed cert-* commands are always available, and failed when removing/upddating a host because it could not revoke the certificate. This leaves out the revocation if there's no CA. The tests should pass now. The Web UI currently assumes cert-* commands are always available. I'm testing a patch from Petr¹ that will fix this. Also, clients currently call cert-request via certmonger. This fails. A patch to not request the host certificate in ipa-client-install is coming up. As far as I know, the failing request doesn't hurt anything; old clients should work fine, certmonger will just spam the syslog. I'll add steps to remove the request on old clients to the design doc. -- Petr³ From 706b6cad1f17c7f285f304f372268547028ac162 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 14 Mar 2013 13:58:27 +0100 Subject: [PATCH] Support installing with custom SSL certs, without a CA Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363 --- install/tools/ipa-replica-install| 4 +- install/tools/ipa-server-install | 110 --- ipaserver/install/certs.py | 60 +++-- ipaserver/install/dsinstance.py | 28 ++-- ipaserver/install/httpinstance.py| 10 ++- ipaserver/install/ipa_replica_prepare.py | 16 +++-- 6 files changed, 197 insertions(+), 31 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 94d60bec64697f775c0303b38f481129d554a0f4..062fa759cd846d8213a5b178d534da7ff2c5fe45 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -560,9 +560,7 @@ def main(): sstore.backup_state("install", "group_exists", group_exists) #Automatically disable pkinit w/ dogtag until that is supported -#[certs.ipa_self_signed() must be called only after api.finalize()] -if not ipautil.file_exists(config.dir + "/pkinitcert.p12") and not certs.ipa_self_signed(): -options.setup_pkinit = False +options.setup_pkinit = False # Install CA cert so that we can do SSL connections with ldap install_ca_cert(config) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 73a3665aa624aa31de1fb7df147a21a986f458ba..f5efb7ee5d4ed37dadc46d13ca90e7e17f1c7c8e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -38,6 +38,7 @@ import pickle import random import tempfile import nss.error +import base64 from optparse import OptionGroup, OptionValueError, SUPPRESS_HELP from ipaserver.install import dsinstance @@ -60,7 +61,7 @@ from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil from ipapython import dogtag -from ipalib import api, errors, util +from ipalib import api, errors, util, x509 from ipapython.config import IPAOptionParser from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file from ipalib.util import validate_domain_name @@ -185,6 +186,8 @@ def parse_options(): help="The password of the Apache Server PKCS#12 file") cert_group.add_option("--pkinit_pin", dest="pkinit_pin", help="The password of the Kerberos KDC PKCS#12 file") +cert_group.add_option("--root-ca-file", dest="root_ca_file", + help="PEM file with root CA certificate(s) to trust") cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=)") @@ -280,15 +283,24 @@ def parse_options(): if cnt > 0 and cnt < 4: parser.error("All PKCS#12 options are required if any are used.") -if (options.external_cert_file or options.external_ca_file) and cnt: +if options.dirsrv_pkcs12 and not options.root_ca_file: +parser.error( +"--root-ca-file must be given with the PKCS#12 options.") +if options.dirsrv_pkcs12 and not options.root_ca_file: +parser.error( +"The PKCS#12 options must be given with --root-ca-file.") + +if (options.external_cert_file or options.external_ca_file) and options.dirsrv_pkcs12: parser.error( "PKCS#12 options cannot be used with the external CA options.") if options.external_ca: if options.external_cert_file: parser.error("You cannot specify --external_cert_file together with --external-ca") if options.external_ca_file: parser.error("You cannot specify --external_ca_file together with --external-ca") +if options.dirs