[Freeipa-users] Reports and questions
Hello,
I tried to install freeipa with certs management. I did manage after a
problem.
1°) The installation was unable to finished on a french localized system.
The error at stage [3/15]: configuring certificate server instance was
something like
java.utils.MissingResourceException can't find bundle for base name
LogMessages, locale fr_FR.UTF-8
full log at then end
It's a dogtag error but since I had it while installing freeipa, I
report it to you.
Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8
locales, rpms version was 1.9.0GIT3620135-0.fc12,
and I activate the testing repos as advised in this thread:
[Freeipa-users] call implemented methods via xml-rpc.
I tried to play a little with certificates mostly to replace puppet
certificate management by the freeipa ones
2°) I wasn't able to do a ipa cert-request
--principal=my/test.domain.com my.csr
I had this error:
ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request
It seems that it was a forgetten line in ipalib/pkcs10.py
here's the patch:
--- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200
+++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200
@@ -52,6 +52,7 @@
namedtype.NamedType('universalString',
char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
namedtype.NamedType('utf8String',
char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
namedtype.NamedType('bmpString',
char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
+namedtype.NamedType('ia5string',
char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
)
that's all for the report, now I have a question:
Is/Will freeipa integrate smart token authentication?
In this page : http://freeipa.org/page/Certificate_Management
You said that There is no requirement to provision user certificates..
Smart key authentication require user certificates.
# File /var/log/pki-ca/catalina.out
28 avr. 2010 16:08:53 org.apache.catalina.core.ApplicationContext log
GRAVE: StandardWrapper.Throwable
java.util.MissingResourceException: Can't find bundle for base name
LogMessages, locale fr_FR
at
java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1539)
at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:733)
at
com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103)
at
com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1176)
at com.netscape.certsrv.apps.CMS.getLogMessage(CMS.java:637)
at
com.netscape.cms.servlet.common.Utils.initializeAuthz(Utils.java:89)
at
com.netscape.cms.servlet.base.CMSServlet.init(CMSServlet.java:288)
at
com.netscape.cms.servlet.csadmin.GetStatus.init(GetStatus.java:61)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1139)
at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:791)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:127)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:636)
28 avr. 2010 16:08:53 org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: Exception lors de l'allocation pour la servlet caGetStatus
java.util.MissingResourceException: Can't find bundle for base name
LogMessages, locale fr_FR
at
java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1539)
at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:733)
at
com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103)
at
Re: [Freeipa-users] Reports and questions
Am Montag, 3. Mai 2010 16:17:18 schrieb Marc Schlinger:
Hello,
I tried to install freeipa with certs management. I did manage after a
problem.
1°) The installation was unable to finished on a french localized system.
The error at stage [3/15]: configuring certificate server instance was
something like
java.utils.MissingResourceException can't find bundle for base name
LogMessages, locale fr_FR.UTF-8
full log at then end
It's a dogtag error but since I had it while installing freeipa, I
report it to you.
This is a bug I also encountered
https://bugzilla.redhat.com/show_bug.cgi?id=583177
Quick workaround is to set the system locale (system-config-language) to
english just before ipa-server-install, and switch it back to yours after
that.
Best regards,
Oli
Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8
locales, rpms version was 1.9.0GIT3620135-0.fc12,
and I activate the testing repos as advised in this thread:
[Freeipa-users] call implemented methods via xml-rpc.
I tried to play a little with certificates mostly to replace puppet
certificate management by the freeipa ones
2°) I wasn't able to do a ipa cert-request
--principal=my/test.domain.com my.csr
I had this error:
ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request
It seems that it was a forgetten line in ipalib/pkcs10.py
here's the patch:
--- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200
+++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200
@@ -52,6 +52,7 @@
namedtype.NamedType('universalString',
char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1
, MAX))),
namedtype.NamedType('utf8String',
char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
namedtype.NamedType('bmpString',
char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
+namedtype.NamedType('ia5string',
char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
)
that's all for the report, now I have a question:
Is/Will freeipa integrate smart token authentication?
In this page : http://freeipa.org/page/Certificate_Management
You said that There is no requirement to provision user certificates..
Smart key authentication require user certificates.
# File /var/log/pki-ca/catalina.out
28 avr. 2010 16:08:53 org.apache.catalina.core.ApplicationContext log
GRAVE: StandardWrapper.Throwable
java.util.MissingResourceException: Can't find bundle for base name
LogMessages, locale fr_FR
at
java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:
1539) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:733) at
com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103)
at
com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1176)
at com.netscape.certsrv.apps.CMS.getLogMessage(CMS.java:637)
at
com.netscape.cms.servlet.common.Utils.initializeAuthz(Utils.java:89)
at
com.netscape.cms.servlet.base.CMSServlet.init(CMSServlet.java:288)
at
com.netscape.cms.servlet.csadmin.GetStatus.init(GetStatus.java:61)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1
139) at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:791)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.j
ava:127) at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j
ava:172) at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:12
7) at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:11
7) at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav
a:108) at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.process
Connection(Http11BaseProtocol.java:665) at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.ja
va:528) at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerW
orkerThread.java:81) at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.ja
va:689) at java.lang.Thread.run(Thread.java:636)
28 avr. 2010 16:08:53 org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: Exception lors de l'allocation pour la servlet caGetStatus
java.util.MissingResourceException: Can't find bundle for base name
LogMessages, locale fr_FR
at
Re: [Freeipa-users] Reports and questions
Marc Schlinger wrote:
Le 03/05/2010 17:38, Rob Crittenden a écrit :
Marc Schlinger wrote:
Hello,
I tried to install freeipa with certs management. I did manage after
a problem.
1°) The installation was unable to finished on a french localized
system.
The error at stage [3/15]: configuring certificate server instance
was something like
java.utils.MissingResourceException can't find bundle for base name
LogMessages, locale fr_FR.UTF-8
full log at then end
It's a dogtag error but since I had it while installing freeipa, I
report it to you.
Finally, for the installation i used a fresh fedora 12 with
en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12,
and I activate the testing repos as advised in this thread:
[Freeipa-users] call implemented methods via xml-rpc.
Yes, I have this on my list to try to work around. I'm going to set
the en_US locale while we're installing dogtag, I just don't know what
this will do post-installation, if things will again blow up.
I opened a new bug on this against dogtag,
https://bugzilla.redhat.com/show_bug.cgi?id=588375
I tried to play a little with certificates mostly to replace puppet
certificate management by the freeipa ones
2°) I wasn't able to do a ipa cert-request
--principal=my/test.domain.com my.csr
I had this error:
ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request
It seems that it was a forgetten line in ipalib/pkcs10.py
here's the patch:
--- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200
+++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200
@@ -52,6 +52,7 @@
namedtype.NamedType('universalString',
char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
namedtype.NamedType('utf8String',
char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
namedtype.NamedType('bmpString',
char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
+namedtype.NamedType('ia5string',
char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
MAX))),
)
Hmm. The python-pyasn1 x509.py sample has ia5string defined as well
but it isn't in RFC 3280 as a supported type for DirectoryString. I
can go ahead and add it in. Can you send me a certificate that is not
being parsed by the current pkcs10 module?
that's all for the report, now I have a question:
Is/Will freeipa integrate smart token authenticaurbeion?
In this page : http://freeipa.org/page/Certificate_Management
You said that There is no requirement to provision user
certificates.. Smart key authentication require user certificates.
We aren't planning on supporting client certificates for v2. We may
add support at some point but it hasn't been planned, designed, etc.
Since we use dogtag if/when we implement support for client certs then
tokens should be part of that.
rob
Rob,
I'am confused, I'm totally wrong.
This patch is absolutly useless.
the only way to make ipa cert-request going wrong is omitting -newhdr
option whith openssl then the header and footer:
-BEGIN CERTIFICATE REQUEST-
MII
-END CERTIFICATE REQUEST-
whereas with the newhdr option we have the header and footer like this:
-BEGIN NEW CERTIFICATE REQUEST-
MII
-END NEW CERTIFICATE REQUEST-
Ok, I thought I handled this, I guess not.
p.s: I really had problems without the ia5string stuff. I'm not crazy!
am I?
I don't think so, I just didn't run into it myself. It could be because
you use openssl to create the CSR and I used the NSS tools. Or it could
be because your locale is different, or the phase of the moon, who knows
:-) The pyasn1 guys have a code comment questioning why ia5string is
needed as well: # hm, this should not be here!? XXX If we're going to
get requests with ia5strings I'm ok with adding support to the parser.
The reason I asked for the cert sample was so I would be able to test
the fix end-to-end, and perhaps incorporate it into our test suite.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Reports and questions
On 05/03/2010 01:23 PM, Rob Crittenden wrote: Marc Schlinger wrote: p.s: I really had problems without the ia5string stuff. I'm not crazy! am I? I don't think so, I just didn't run into it myself. It could be because you use openssl to create the CSR and I used the NSS tools. Or it could be because your locale is different, or the phase of the moon, who knows :-) The pyasn1 guys have a code comment questioning why ia5string is needed as well: # hm, this should not be here!? XXX If we're going to get requests with ia5strings I'm ok with adding support to the parser. The reason I asked for the cert sample was so I would be able to test the fix end-to-end, and perhaps incorporate it into our test suite. I would hold off making any fixes to the parser you wrote. I've got an update to python-nss coming soon which fully supports certificate loading, decoding and inspection using NSS entry points. It properly (or so I hope) handles all the variants (which are numerous) including ia5string. We should converge on using NSS for everything, the update will get us a lot closer to that goal. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
