[Freeipa-devel] [PATCH] 1059 single CRL generator

Rob Crittenden rcritten at redhat.com
Fri Oct 5 15:50:20 UTC 2012


Martin Kosek wrote:
> On 10/04/2012 06:17 PM, Rob Crittenden wrote:
>> This changes the way IPA generates CRLs for new installs only.
>>
>> The first master installed is configured as the CRL generator. An entry is
>> added to cn=masters that designates it.
>>
>> When a replica is installed it queries this entry so it knows where to forward
>> CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will
>> return not found). It is possible to get a CRL directly from the clone CA via
>> http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>
>> rob
>
> I tested new IPA server + replica with your patch and the CRL was now generated
> only on the CRL master. I also tried OCSP (though this may not be relevant) and
> it worked for me too.
>
> 1) I do not understand the following block in set_crl_master(self, suffix):
>
> +        try:
> +            self.admin_conn.addEntry(entry)
> +        except ldap.ALREADY_EXISTS, e:
> +            root_logger.debug("failed to set CA as CRL generator")
> +            raise e
>
> - when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL is set, right?
> - AFAIK, addEntry should  return our errors, i.e. errors.DuplicateEntry
> - s/raise e/raise/
>
> I think you may have wanted to rather catch for more general LDAP error and
> then report a real error and not just a debug note.

I just wanted to flag this error specifically. It should theoretically 
never happen because we only do this on new installs.

> 2) In get_crl_master:
>
> +        except Exception, e:
> +            root_logger.debug("Could not connect to the Directory Server on
> %s: %s" % (master_host, str(e)))
> +            raise e
>
> s/raise e/raise/
>
> +        except errors.NotFound, e:
> +            root_logger.debug("failed to find CA CRL generator")
> +            self.crl_master = None
>
> - e is actually not used, "except errors.NotFound" would be enough

Yeah, I'll remove that. I initially was raising an exception instead of 
setting crl_master to None, but that wasn't such a nice experience.

> 3) Majorish issue I hit with the actual CRL publishing on our server (F17). I
> always get 403 Forbidden error when trying to download CRL from the CRL master:
>
> # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
> --2012-10-05 03:32:58--
> https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
> Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
> Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2012-10-05 03:32:58 ERROR 403: Forbidden.
>
> I tracked the problem down to too strict permission on /var/lib/pki-ca
> directory which is being published by httpd which does not have access to it:
>
> # ll /var/lib/pki-ca
>
> drwxrwx---. 11 pkiuser pkiuser 4096 Oct  5 03:00 pki-ca
>
> When I fixed the permission:
> # chmod o+x /var/lib/pki-ca/
>
> I was able to get pass the Forbidden error and actually retrieved the CRL.
> Adding Ade on CC list to follow on this permission issue.
>
>
> I was thinking about usability of this new approach, we may want to make user
> life easier in a perspective of CRL master managing. I have following
> enhancements in mind:
>
> - mark CRL master in ipa-replica-manage list, or ipa-csreplica-manage list:
>
> # ipa-csreplica-manage list
> Directory Manager password:
>
> vm-065.idm.lab.bos.redhat.com: master [CRL]
> vm-120.idm.lab.bos.redhat.com: master
>
> - when removing master with CRL by "ipa-replica-manage del" we should warn user
> and inform him what he should do next to amend the situation. I am thinking
> about 2 new commands for ipa-csreplica-manage:
>
> * ipa-csreplica-manage crl-promote
>    - promote current master as the new CRL master, enable CRL generation in
> CS.cfg, mark master as the new CRL master in cn=masters
> * ipa-csreplica-manage crl-update
>    - update CS.cfg of current CA replica and point master.ca.agent.* to current
> CRL master
>
> I can work on those enhancements if we agree on them.

I think the display and warning parts would be quite easy. The promotion 
a bit more challenging and invasive. I think documentation would be 
adequate for a first stab a this.

rob




More information about the Freeipa-devel mailing list