[Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas

Fri Jun 24 14:56:35 UTC 2011

Martin Kosek wrote:
> On Thu, 2011-06-23 at 17:00 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote:
>>>>> A dogtag replica file is created as usual. When the replica is installed
>>>>> dogtag is optional and not installed by default. Adding the --setup-ca
>>>>> option will configure it when the replica is installed.
>>>>>
>>>>> A new tool ipa-ca-install will configure dogtag if it wasn't configured
>>>>> when the replica was initially installed.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1251
>>>>>
>>>>> See the ticket for testing suggestions.
>>>>>
>>>>> rob
>>>>
>>>> I have found some issues with the patch:
>>>>
>>>> 1) Man page:
>>>> - missing man file in man folder's Makefile.am
>>>> - missing man file in the spec ->  man is not installed
>>>
>>> Yeah, I realized that after I submitted it.
>>>
>>>>
>>>> 2) Missing ipa-ca-install in install/po/Makefile.in
>>>
>>> Oh, ipa-dns-install is missing too, I'll fix it.
>>>
>>>>
>>>> 3) ipa-ca-install:
>>>> - expand_info, read_info, get_host_name or install_ca: functions are
>>>> copied from ipa-replica-install tool. Having a lot of redundant code
>>>> leads to the dark side. Calling these functions from a common library
>>>> seems more convenient to me.
>>>
>>> Yeah, I'll see about pulling some of that into installutils.py.
>>> install_ca is different depending on context though, I'll have to see
>>> how complex the conditionals become if I combine them.
>>>
>>>>
>>>> 4) man ipa-ca-install:
>>>>
>>>> +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
>>>>
>>>> is not consistent with
>>>>
>>>> +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=
>>>> \fIADMIN_PASSWORD\fR
>>>>
>>>> (missing DM_PASSWORD placeholder after "-p")
>>>
>>> Ok, we'll need to check the ipa-replica-install man page too, I based
>>> this on that.
>>>
>>>>
>>>>
>>>> 5) Now the real problem - when I am installing a replica I got a strange
>>>> error:
>>>>
>>>> #
>>>> ipa-replica-install
>>>> /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca
>>>> -w secret123
>>>> Directory Manager (existing master) password:
>>>>
>>>> Run connection check to master
>>>> Check connection from replica to remote master
>>>> 'vm-099.idm.lab.bos.redhat.com':
>>>> Directory Service: Unsecure port (389): OK
>>>> Directory Service: Secure port (636): OK
>>>> Kerberos (88): OK
>>>> PKI-CA: Directory Service port (7389): OK
>>>> PKI-CA: Agent secure port (9443): OK
>>>> PKI-CA: EE secure port (9444): OK
>>>> PKI-CA: Admin secure port (9445): OK
>>>> PKI-CA: EE secure client auth port (9446): OK
>>>> PKI-CA: Unsecure port (9180): OK
>>>>
>>>> Connection from replica to master is OK.
>>>> Start listening on required ports for remote master check
>>>> Get credentials to log in to remote master
>>>> Execute check on remote master
>>>> Check connection from master to remote replica
>>>> 'vm-060.idm.lab.bos.redhat.com':
>>>> Directory Service: Unsecure port (389): OK
>>>> Directory Service: Secure port (636): OK
>>>> Kerberos (88): OK
>>>> PKI-CA: Directory Service port (7389): OK
>>>> PKI-CA: Agent secure port (9443): OK
>>>> PKI-CA: EE secure port (9444): OK
>>>> PKI-CA: Admin secure port (9445): OK
>>>> PKI-CA: EE secure client auth port (9446): OK
>>>> PKI-CA: Unsecure port (9180): OK
>>>>
>>>> Connection from master to replica is OK.
>>>>
>>>> Connection check OK
>>>> Configuring ntpd
>>>> [1/4]: stopping ntpd
>>>> [2/4]: writing configuration
>>>> [3/4]: configuring ntpd to start on boot
>>>> [4/4]: starting ntpd
>>>> done configuring ntpd.
>>>> Configuring directory server for the CA: Estimated time 30 seconds
>>>> [1/3]: creating directory server user
>>>> [2/3]: creating directory server instance
>>>> [3/3]: restarting directory server
>>>> done configuring pkids.
>>>> creation of replica failed: Incorrect padding
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>>
>>>> /var/log/ipareplica-install.log:
>>>> ...
>>>> 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil
>>>> -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a
>>>> 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE-----
>>>> MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M
>>>> TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M
>>>> dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M
>>>> RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M
>>>> b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M
>>>> 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M
>>>> TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M
>>>> jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M
>>>> 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M
>>>> h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M
>>>> 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M
>>>> vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M
>>>> bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M
>>>> AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M
>>>> AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M
>>>> p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M
>>>> Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M
>>>> uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M
>>>> oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M
>>>> HMOJrmcjFGoa/eL65JwmiFVl
>>>> -----END CERTIFICATE-----
>>>>
>>>> 2011-06-23 08:37:35,908 DEBUG stderr=
>>>> 2011-06-23 08:37:35,914 DEBUG Incorrect padding
>>>> File "/usr/sbin/ipa-replica-install", line 560, in<module>
>>>> main()
>>>>
>>>> File "/usr/sbin/ipa-replica-install", line 502, in main
>>>> (CA, cs) = install_ca(config)
>>>>
>>>> File "/usr/sbin/ipa-replica-install", line 173, in install_ca
>>>> cs.load_pkcs12()
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>>> 325, in load_pkcs12
>>>> self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>>> line 449, in get_cert_from_db
>>>> dercert = base64.b64decode(cert)
>>>>
>>>> File "/usr/lib64/python2.7/base64.py", line 76, in b64decode
>>>> raise TypeError(msg)
>>>>
>>>>
>>>> Any idea what could cause this? This was run on clean VMs with your
>>>> patch on top of master branch.
>>>
>>> It means that the blob I ended up with wasn't properly base64-encoded.
>>> It could mean I missed a header/footer or something else. I'll see if I
>>> can reproduce.
>>
>> I think I've addressed all your concerns. I wasn't able to reproduce the
>> crash but I can see what caused it: we passed in a cert with a
>> header/footer to base64.b64decode(). I added a call to
>> x509.strip_header() which should fix it up.
>>
>> rob
>
> Yep, it fixed the Incorrect padding error. I successfully tested
> certificate operations (cert-request, cert-show) on a replica and both
> CA replication when CA was installed on replica and CA operation
> redirection worked fine.
>
> I have just one certificate related issue:
>
> 1) When CA on a replica was installed using ipa-ca-install and not
> ipa-replica-install REPLICA_FILE --setup-ca the certificate serial
> number in cert-request operation was from the same number range. In my
> case it was s.no. 22 after ipa-ca-install and 268369922 in
> ipa-replica-install --setup-ca scenario.
>
> Then I found some more minor documentation issues:
>
> 2) man ipa-ca-install
> - wrong formatting in --debug option - entire line is bold
> - description on the first line needs to be fixed
>
> 3) man ipa-replica-install
> - missing setup-ca option
>
> To sum it up, when these 3 issues are fixed I think the patch is ready
> to be acked.
>
> Martin
>

Fixed and pushed to master and ipa-2-0

The serial number problem was not reproducable. If a CA is not installed 
locally then it will forward requests to a remote master, I think that 
is what happened.

rob