[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer
Jan Cholasta
jcholast at redhat.com
Thu Jun 16 14:53:55 UTC 2011
On 16.6.2011 15:12, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 14.6.2011 15:16, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> On 6.6.2011 21:25, Rob Crittenden wrote:
>>>>>> Jan Cholasta wrote:
>>>>>>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>>>>>>> The goal is to not import foreign certificates.
>>>>>>>>
>>>>>>>> This caused a bunch of tests to fail because we had a hardcoded
>>>>>>>> server
>>>>>>>> certificate. Instead a developer will need to run make-testcert to
>>>>>>>> create a server certificate generated by the local CA to test
>>>>>>>> against.
>>>>>>>>
>>>>>>>> ticket 1134
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>
>>>>>>> NACK
>>>>>>>
>>>>>>> The certificate isn't verified in host-add.
>>>>>>>
>>>>>>> I suspect that certificates signed by an intermediate CA (i.e. when
>>>>>>> the
>>>>>>> certificate chain length > 2) are considered invalid. Is that the
>>>>>>> desired behavior?
>>>>>>
>>>>>> That will work as long as the issuer is the IPA CA. I see that if we
>>>>>> are
>>>>>> given a service cert issued by another CA in the chain things
>>>>>> could go
>>>>>> badly. I'm not sure this is something to really worry about though.
>>>>>
>>>>> I guess it's not. But I'd like a second opinion on that.
>>>>
>>>> We really only want to support those certs we issue otherwise things
>>>> like revocation get tricky, because we can't manage things we don't
>>>> issue.
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> make-testcert fails with:
>>>>>>>
>>>>>>> Traceback (most recent call last):
>>>>>>> File "./make-testcert", line 126, in <module>
>>>>>>> sys.exit(makecert(reqdir))
>>>>>>> File "./make-testcert", line 105, in makecert
>>>>>>> add=True)
>>>>>>> File "./make-testcert", line 66, in run
>>>>>>> result = self.execute(method, *args, **options)
>>>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in
>>>>>>> execute
>>>>>>> raise error #pylint: disable=E0702
>>>>>>> ipalib.errors.CommandError: unknown command 'cert_request'
>>>>>>>
>>>>>>> This is probably an error on my part (tried running in on both my
>>>>>>> machine without IPA installed and on VM with IPA installed with no
>>>>>>> luck), but nonetheless it should be fixed to fail gracefully so that
>>>>>>> the
>>>>>>> tests in "make test" have a chance to run. Similarly, the tests
>>>>>>> which
>>>>>>> use the test certificate created by make-testcert should be
>>>>>>> skipped if
>>>>>>> the certificate isn't available.
>>>>>>
>>>>>> You need to take the certificate databases from a self-signed install
>>>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing.
>>>>>> There
>>>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>>>>>>
>>>>>> I think this should be mandatory as certificates are a main
>>>>>> feature of
>>>>>> v2.
>>>>>
>>>>> No matter what I do, I'm still getting the unknown command error. Can
>>>>> you describe the steps needed to make make-testcert successfully run?
>>>>>
>>>>> BTW, it would be nice if "make test" printed an informational message
>>>>> when the requirements to run the tests aren't met instead of failing
>>>>> with some random error.
>>>>
>>>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
>>>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
>>>> comment out the xmlrpc_uri. This is now caught by the script.
>>>>
>>>> rob
>>>
>>> These tests fail:
>>>
>>> test_host[19]: service_mod: Update
>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL
>>> test_host[20]: service_show: Retrieve
>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to
>>> verify update ... FAIL
>>>
>>> because they expect the CN to be puma.greyoak.com. I'm not sure if this
>>> issue is in the scope of this patch - if it's not, then ACK.
>>
>> I'll fix them up.
>
> attached
ACK
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list