[Freeipa-users] Reports and questions
Hello, I tried to install freeipa with certs management. I did manage after a problem. 1°) The installation was unable to finished on a french localized system. The error at stage [3/15]: configuring certificate server instance was something like java.utils.MissingResourceException can't find bundle for base name LogMessages, locale fr_FR.UTF-8 full log at then end It's a dogtag error but since I had it while installing freeipa, I report it to you. Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12, and I activate the testing repos as advised in this thread: [Freeipa-users] call implemented methods via xml-rpc. I tried to play a little with certificates mostly to replace puppet certificate management by the freeipa ones 2°) I wasn't able to do a ipa cert-request --principal=my/test.domain.com my.csr I had this error: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request It seems that it was a forgetten line in ipalib/pkcs10.py here's the patch: --- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200 +++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200 @@ -52,6 +52,7 @@ namedtype.NamedType('universalString', char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), namedtype.NamedType('utf8String', char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), namedtype.NamedType('bmpString', char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), +namedtype.NamedType('ia5string', char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), ) that's all for the report, now I have a question: Is/Will freeipa integrate smart token authentication? In this page : http://freeipa.org/page/Certificate_Management You said that There is no requirement to provision user certificates.. Smart key authentication require user certificates. # File /var/log/pki-ca/catalina.out 28 avr. 2010 16:08:53 org.apache.catalina.core.ApplicationContext log GRAVE: StandardWrapper.Throwable java.util.MissingResourceException: Can't find bundle for base name LogMessages, locale fr_FR at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1539) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278) at java.util.ResourceBundle.getBundle(ResourceBundle.java:733) at com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103) at com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1176) at com.netscape.certsrv.apps.CMS.getLogMessage(CMS.java:637) at com.netscape.cms.servlet.common.Utils.initializeAuthz(Utils.java:89) at com.netscape.cms.servlet.base.CMSServlet.init(CMSServlet.java:288) at com.netscape.cms.servlet.csadmin.GetStatus.init(GetStatus.java:61) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1139) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:791) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:127) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:636) 28 avr. 2010 16:08:53 org.apache.catalina.core.StandardWrapperValve invoke GRAVE: Exception lors de l'allocation pour la servlet caGetStatus java.util.MissingResourceException: Can't find bundle for base name LogMessages, locale fr_FR at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1539) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278) at java.util.ResourceBundle.getBundle(ResourceBundle.java:733) at com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103) at
Re: [Freeipa-users] Reports and questions
Am Montag, 3. Mai 2010 16:17:18 schrieb Marc Schlinger: Hello, I tried to install freeipa with certs management. I did manage after a problem. 1°) The installation was unable to finished on a french localized system. The error at stage [3/15]: configuring certificate server instance was something like java.utils.MissingResourceException can't find bundle for base name LogMessages, locale fr_FR.UTF-8 full log at then end It's a dogtag error but since I had it while installing freeipa, I report it to you. This is a bug I also encountered https://bugzilla.redhat.com/show_bug.cgi?id=583177 Quick workaround is to set the system locale (system-config-language) to english just before ipa-server-install, and switch it back to yours after that. Best regards, Oli Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12, and I activate the testing repos as advised in this thread: [Freeipa-users] call implemented methods via xml-rpc. I tried to play a little with certificates mostly to replace puppet certificate management by the freeipa ones 2°) I wasn't able to do a ipa cert-request --principal=my/test.domain.com my.csr I had this error: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request It seems that it was a forgetten line in ipalib/pkcs10.py here's the patch: --- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200 +++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200 @@ -52,6 +52,7 @@ namedtype.NamedType('universalString', char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1 , MAX))), namedtype.NamedType('utf8String', char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), namedtype.NamedType('bmpString', char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), +namedtype.NamedType('ia5string', char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), ) that's all for the report, now I have a question: Is/Will freeipa integrate smart token authentication? In this page : http://freeipa.org/page/Certificate_Management You said that There is no requirement to provision user certificates.. Smart key authentication require user certificates. # File /var/log/pki-ca/catalina.out 28 avr. 2010 16:08:53 org.apache.catalina.core.ApplicationContext log GRAVE: StandardWrapper.Throwable java.util.MissingResourceException: Can't find bundle for base name LogMessages, locale fr_FR at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java: 1539) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1278) at java.util.ResourceBundle.getBundle(ResourceBundle.java:733) at com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1103) at com.netscape.cmscore.apps.CMSEngine.getLogMessage(CMSEngine.java:1176) at com.netscape.certsrv.apps.CMS.getLogMessage(CMS.java:637) at com.netscape.cms.servlet.common.Utils.initializeAuthz(Utils.java:89) at com.netscape.cms.servlet.base.CMSServlet.init(CMSServlet.java:288) at com.netscape.cms.servlet.csadmin.GetStatus.init(GetStatus.java:61) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1 139) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:791) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.j ava:127) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j ava:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:12 7) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:11 7) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav a:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.process Connection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.ja va:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerW orkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.ja va:689) at java.lang.Thread.run(Thread.java:636) 28 avr. 2010 16:08:53 org.apache.catalina.core.StandardWrapperValve invoke GRAVE: Exception lors de l'allocation pour la servlet caGetStatus java.util.MissingResourceException: Can't find bundle for base name LogMessages, locale fr_FR at
Re: [Freeipa-users] Reports and questions
Marc Schlinger wrote: Le 03/05/2010 17:38, Rob Crittenden a écrit : Marc Schlinger wrote: Hello, I tried to install freeipa with certs management. I did manage after a problem. 1°) The installation was unable to finished on a french localized system. The error at stage [3/15]: configuring certificate server instance was something like java.utils.MissingResourceException can't find bundle for base name LogMessages, locale fr_FR.UTF-8 full log at then end It's a dogtag error but since I had it while installing freeipa, I report it to you. Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8 locales, rpms version was 1.9.0GIT3620135-0.fc12, and I activate the testing repos as advised in this thread: [Freeipa-users] call implemented methods via xml-rpc. Yes, I have this on my list to try to work around. I'm going to set the en_US locale while we're installing dogtag, I just don't know what this will do post-installation, if things will again blow up. I opened a new bug on this against dogtag, https://bugzilla.redhat.com/show_bug.cgi?id=588375 I tried to play a little with certificates mostly to replace puppet certificate management by the freeipa ones 2°) I wasn't able to do a ipa cert-request --principal=my/test.domain.com my.csr I had this error: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request It seems that it was a forgetten line in ipalib/pkcs10.py here's the patch: --- /tmp/pkcs10.py2010-05-03 16:02:22.929018799 +0200 +++ ipalib/pkcs10.py2010-05-03 16:02:09.855940583 +0200 @@ -52,6 +52,7 @@ namedtype.NamedType('universalString', char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), namedtype.NamedType('utf8String', char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), namedtype.NamedType('bmpString', char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), +namedtype.NamedType('ia5string', char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1, MAX))), ) Hmm. The python-pyasn1 x509.py sample has ia5string defined as well but it isn't in RFC 3280 as a supported type for DirectoryString. I can go ahead and add it in. Can you send me a certificate that is not being parsed by the current pkcs10 module? that's all for the report, now I have a question: Is/Will freeipa integrate smart token authenticaurbeion? In this page : http://freeipa.org/page/Certificate_Management You said that There is no requirement to provision user certificates.. Smart key authentication require user certificates. We aren't planning on supporting client certificates for v2. We may add support at some point but it hasn't been planned, designed, etc. Since we use dogtag if/when we implement support for client certs then tokens should be part of that. rob Rob, I'am confused, I'm totally wrong. This patch is absolutly useless. the only way to make ipa cert-request going wrong is omitting -newhdr option whith openssl then the header and footer: -BEGIN CERTIFICATE REQUEST- MII -END CERTIFICATE REQUEST- whereas with the newhdr option we have the header and footer like this: -BEGIN NEW CERTIFICATE REQUEST- MII -END NEW CERTIFICATE REQUEST- Ok, I thought I handled this, I guess not. p.s: I really had problems without the ia5string stuff. I'm not crazy! am I? I don't think so, I just didn't run into it myself. It could be because you use openssl to create the CSR and I used the NSS tools. Or it could be because your locale is different, or the phase of the moon, who knows :-) The pyasn1 guys have a code comment questioning why ia5string is needed as well: # hm, this should not be here!? XXX If we're going to get requests with ia5strings I'm ok with adding support to the parser. The reason I asked for the cert sample was so I would be able to test the fix end-to-end, and perhaps incorporate it into our test suite. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Reports and questions
On 05/03/2010 01:23 PM, Rob Crittenden wrote: Marc Schlinger wrote: p.s: I really had problems without the ia5string stuff. I'm not crazy! am I? I don't think so, I just didn't run into it myself. It could be because you use openssl to create the CSR and I used the NSS tools. Or it could be because your locale is different, or the phase of the moon, who knows :-) The pyasn1 guys have a code comment questioning why ia5string is needed as well: # hm, this should not be here!? XXX If we're going to get requests with ia5strings I'm ok with adding support to the parser. The reason I asked for the cert sample was so I would be able to test the fix end-to-end, and perhaps incorporate it into our test suite. I would hold off making any fixes to the parser you wrote. I've got an update to python-nss coming soon which fully supports certificate loading, decoding and inspection using NSS entry points. It properly (or so I hope) handles all the variants (which are numerous) including ia5string. We should converge on using NSS for everything, the update will get us a lot closer to that goal. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users