[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer



Jan Cholasta wrote:
On 16.6.2011 15:12, Rob Crittenden wrote:
Rob Crittenden wrote:
Jan Cholasta wrote:
On 14.6.2011 15:16, Rob Crittenden wrote:
Jan Cholasta wrote:
On 6.6.2011 21:25, Rob Crittenden wrote:
Jan Cholasta wrote:
On 26.4.2011 22:52, Rob Crittenden wrote:
The goal is to not import foreign certificates.

This caused a bunch of tests to fail because we had a hardcoded
server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test
against.

ticket 1134

rob


NACK

The certificate isn't verified in host-add.

I suspect that certificates signed by an intermediate CA (i.e. when
the
certificate chain length > 2) are considered invalid. Is that the
desired behavior?

That will work as long as the issuer is the IPA CA. I see that if we
are
given a service cert issued by another CA in the chain things
could go
badly. I'm not sure this is something to really worry about though.

I guess it's not. But I'd like a second opinion on that.

We really only want to support those certs we issue otherwise things
like revocation get tricky, because we can't manage things we don't
issue.




make-testcert fails with:

Traceback (most recent call last):
File "./make-testcert", line 126, in <module>
sys.exit(makecert(reqdir))
File "./make-testcert", line 105, in makecert
add=True)
File "./make-testcert", line 66, in run
result = self.execute(method, *args, **options)
File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in
execute
raise error #pylint: disable=E0702
ipalib.errors.CommandError: unknown command 'cert_request'

This is probably an error on my part (tried running in on both my
machine without IPA installed and on VM with IPA installed with no
luck), but nonetheless it should be fixed to fail gracefully so
that
the
tests in "make test" have a chance to run. Similarly, the tests
which
use the test certificate created by make-testcert should be
skipped if
the certificate isn't available.

You need to take the certificate databases from a self-signed
install
and copy them to ~/.ipa/alias/ in order to do certificate testing.
There
is documentation on how to do this in tests/test_xmlrpc/test_cert.py

I think this should be mandatory as certificates are a main
feature of
v2.

No matter what I do, I'm still getting the unknown command error. Can
you describe the steps needed to make make-testcert successfully run?

BTW, it would be nice if "make test" printed an informational message
when the requirements to run the tests aren't met instead of failing
with some random error.

You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
comment out the xmlrpc_uri. This is now caught by the script.

rob

These tests fail:

test_host[19]: service_mod: Update
u'HTTP/testhost1 idm lab bos redhat com IDM LAB BOS REDHAT COM' ...
FAIL
test_host[20]: service_show: Retrieve
u'HTTP/testhost1 idm lab bos redhat com IDM LAB BOS REDHAT COM' to
verify update ... FAIL

because they expect the CN to be puma.greyoak.com. I'm not sure if this
issue is in the scope of this patch - if it's not, then ACK.

I'll fix them up.

attached

ACK

Honza


pushed to master and ipa-2-0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]