[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer

Rob Crittenden rcritten at redhat.com
Fri Jun 17 14:27:43 UTC 2011


Jan Cholasta wrote:
> On 16.6.2011 15:12, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 14.6.2011 15:16, Rob Crittenden wrote:
>>>>> Jan Cholasta wrote:
>>>>>> On 6.6.2011 21:25, Rob Crittenden wrote:
>>>>>>> Jan Cholasta wrote:
>>>>>>>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>>>>>>>> The goal is to not import foreign certificates.
>>>>>>>>>
>>>>>>>>> This caused a bunch of tests to fail because we had a hardcoded
>>>>>>>>> server
>>>>>>>>> certificate. Instead a developer will need to run make-testcert to
>>>>>>>>> create a server certificate generated by the local CA to test
>>>>>>>>> against.
>>>>>>>>>
>>>>>>>>> ticket 1134
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>
>>>>>>>> NACK
>>>>>>>>
>>>>>>>> The certificate isn't verified in host-add.
>>>>>>>>
>>>>>>>> I suspect that certificates signed by an intermediate CA (i.e. when
>>>>>>>> the
>>>>>>>> certificate chain length > 2) are considered invalid. Is that the
>>>>>>>> desired behavior?
>>>>>>>
>>>>>>> That will work as long as the issuer is the IPA CA. I see that if we
>>>>>>> are
>>>>>>> given a service cert issued by another CA in the chain things
>>>>>>> could go
>>>>>>> badly. I'm not sure this is something to really worry about though.
>>>>>>
>>>>>> I guess it's not. But I'd like a second opinion on that.
>>>>>
>>>>> We really only want to support those certs we issue otherwise things
>>>>> like revocation get tricky, because we can't manage things we don't
>>>>> issue.
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> make-testcert fails with:
>>>>>>>>
>>>>>>>> Traceback (most recent call last):
>>>>>>>> File "./make-testcert", line 126, in <module>
>>>>>>>> sys.exit(makecert(reqdir))
>>>>>>>> File "./make-testcert", line 105, in makecert
>>>>>>>> add=True)
>>>>>>>> File "./make-testcert", line 66, in run
>>>>>>>> result = self.execute(method, *args, **options)
>>>>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in
>>>>>>>> execute
>>>>>>>> raise error #pylint: disable=E0702
>>>>>>>> ipalib.errors.CommandError: unknown command 'cert_request'
>>>>>>>>
>>>>>>>> This is probably an error on my part (tried running in on both my
>>>>>>>> machine without IPA installed and on VM with IPA installed with no
>>>>>>>> luck), but nonetheless it should be fixed to fail gracefully so
>>>>>>>> that
>>>>>>>> the
>>>>>>>> tests in "make test" have a chance to run. Similarly, the tests
>>>>>>>> which
>>>>>>>> use the test certificate created by make-testcert should be
>>>>>>>> skipped if
>>>>>>>> the certificate isn't available.
>>>>>>>
>>>>>>> You need to take the certificate databases from a self-signed
>>>>>>> install
>>>>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing.
>>>>>>> There
>>>>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>>>>>>>
>>>>>>> I think this should be mandatory as certificates are a main
>>>>>>> feature of
>>>>>>> v2.
>>>>>>
>>>>>> No matter what I do, I'm still getting the unknown command error. Can
>>>>>> you describe the steps needed to make make-testcert successfully run?
>>>>>>
>>>>>> BTW, it would be nice if "make test" printed an informational message
>>>>>> when the requirements to run the tests aren't met instead of failing
>>>>>> with some random error.
>>>>>
>>>>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
>>>>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
>>>>> comment out the xmlrpc_uri. This is now caught by the script.
>>>>>
>>>>> rob
>>>>
>>>> These tests fail:
>>>>
>>>> test_host[19]: service_mod: Update
>>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ...
>>>> FAIL
>>>> test_host[20]: service_show: Retrieve
>>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to
>>>> verify update ... FAIL
>>>>
>>>> because they expect the CN to be puma.greyoak.com. I'm not sure if this
>>>> issue is in the scope of this patch - if it's not, then ACK.
>>>
>>> I'll fix them up.
>>
>> attached
>
> ACK
>
> Honza
>

pushed to master and ipa-2-0




More information about the Freeipa-devel mailing list