[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer
Rob Crittenden
rcritten at redhat.com
Thu Jun 16 13:04:56 UTC 2011
Jan Cholasta wrote:
> On 14.6.2011 15:16, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 6.6.2011 21:25, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>>>>> The goal is to not import foreign certificates.
>>>>>>
>>>>>> This caused a bunch of tests to fail because we had a hardcoded
>>>>>> server
>>>>>> certificate. Instead a developer will need to run make-testcert to
>>>>>> create a server certificate generated by the local CA to test
>>>>>> against.
>>>>>>
>>>>>> ticket 1134
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> NACK
>>>>>
>>>>> The certificate isn't verified in host-add.
>>>>>
>>>>> I suspect that certificates signed by an intermediate CA (i.e. when
>>>>> the
>>>>> certificate chain length > 2) are considered invalid. Is that the
>>>>> desired behavior?
>>>>
>>>> That will work as long as the issuer is the IPA CA. I see that if we
>>>> are
>>>> given a service cert issued by another CA in the chain things could go
>>>> badly. I'm not sure this is something to really worry about though.
>>>
>>> I guess it's not. But I'd like a second opinion on that.
>>
>> We really only want to support those certs we issue otherwise things
>> like revocation get tricky, because we can't manage things we don't
>> issue.
>>
>>>
>>>>
>>>>>
>>>>> make-testcert fails with:
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File "./make-testcert", line 126, in <module>
>>>>> sys.exit(makecert(reqdir))
>>>>> File "./make-testcert", line 105, in makecert
>>>>> add=True)
>>>>> File "./make-testcert", line 66, in run
>>>>> result = self.execute(method, *args, **options)
>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
>>>>> raise error #pylint: disable=E0702
>>>>> ipalib.errors.CommandError: unknown command 'cert_request'
>>>>>
>>>>> This is probably an error on my part (tried running in on both my
>>>>> machine without IPA installed and on VM with IPA installed with no
>>>>> luck), but nonetheless it should be fixed to fail gracefully so that
>>>>> the
>>>>> tests in "make test" have a chance to run. Similarly, the tests which
>>>>> use the test certificate created by make-testcert should be skipped if
>>>>> the certificate isn't available.
>>>>
>>>> You need to take the certificate databases from a self-signed install
>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing.
>>>> There
>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>>>>
>>>> I think this should be mandatory as certificates are a main feature of
>>>> v2.
>>>
>>> No matter what I do, I'm still getting the unknown command error. Can
>>> you describe the steps needed to make make-testcert successfully run?
>>>
>>> BTW, it would be nice if "make test" printed an informational message
>>> when the requirements to run the tests aren't met instead of failing
>>> with some random error.
>>
>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
>> comment out the xmlrpc_uri. This is now caught by the script.
>>
>> rob
>
> These tests fail:
>
> test_host[19]: service_mod: Update
> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL
> test_host[20]: service_show: Retrieve
> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to
> verify update ... FAIL
>
> because they expect the CN to be puma.greyoak.com. I'm not sure if this
> issue is in the scope of this patch - if it's not, then ACK.
I'll fix them up.
rob
More information about the Freeipa-devel
mailing list