[Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas

Martin Kosek mkosek at redhat.com
Thu Jun 23 12:41:06 UTC 2011 

On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote:
> A dogtag replica file is created as usual. When the replica is installed 
> dogtag is optional and not installed by default. Adding the --setup-ca 
> option will configure it when the replica is installed.
> 
> A new tool ipa-ca-install will configure dogtag if it wasn't configured 
> when the replica was initially installed.
> 
> https://fedorahosted.org/freeipa/ticket/1251
> 
> See the ticket for testing suggestions.
> 
> rob

I have found some issues with the patch:

1) Man page:
- missing man file in man folder's Makefile.am
- missing man file in the spec -> man is not installed

2) Missing ipa-ca-install in install/po/Makefile.in

3) ipa-ca-install:
- expand_info, read_info, get_host_name or install_ca: functions are
copied from ipa-replica-install tool. Having a lot of redundant code
leads to the dark side. Calling these functions from a common library
seems more convenient to me.

4) man ipa-ca-install:

+\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR

is not consistent with

+\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=
\fIADMIN_PASSWORD\fR

(missing DM_PASSWORD placeholder after "-p")


5) Now the real problem - when I am installing a replica I got a strange
error:

#
ipa-replica-install /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca -w secret123
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master
'vm-099.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos (88): OK
   PKI-CA: Directory Service port (7389): OK
   PKI-CA: Agent secure port (9443): OK
   PKI-CA: EE secure port (9444): OK
   PKI-CA: Admin secure port (9445): OK
   PKI-CA: EE secure client auth port (9446): OK
   PKI-CA: Unsecure port (9180): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica
'vm-060.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos (88): OK
   PKI-CA: Directory Service port (7389): OK
   PKI-CA: Agent secure port (9443): OK
   PKI-CA: EE secure port (9444): OK
   PKI-CA: Admin secure port (9445): OK
   PKI-CA: EE secure client auth port (9446): OK
   PKI-CA: Unsecure port (9180): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
creation of replica failed: Incorrect padding

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


/var/log/ipareplica-install.log:
...
2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil
-d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a
2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M
TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M
dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M
RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M
b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M
8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M
TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M
jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M
3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M
h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M
5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M
vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M
bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M
AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M
AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M
p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M
Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M
uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M
oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M
HMOJrmcjFGoa/eL65JwmiFVl
-----END CERTIFICATE-----

2011-06-23 08:37:35,908 DEBUG stderr=
2011-06-23 08:37:35,914 DEBUG Incorrect padding
  File "/usr/sbin/ipa-replica-install", line 560, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 502, in main
    (CA, cs) = install_ca(config)

  File "/usr/sbin/ipa-replica-install", line 173, in install_ca
    cs.load_pkcs12()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
325, in load_pkcs12
    self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 449, in get_cert_from_db
    dercert = base64.b64decode(cert)

  File "/usr/lib64/python2.7/base64.py", line 76, in b64decode
    raise TypeError(msg)


Any idea what could cause this? This was run on clean VMs with your
patch on top of master branch.

Martin

More information about the Freeipa-devel mailing list