[Freeipa-devel] [PATCH] 1059 single CRL generator
Simo Sorce
simo at redhat.com
Fri Oct 5 16:26:28 UTC 2012
On Fri, 2012-10-05 at 12:19 -0400, Ade Lee wrote:
> On Fri, 2012-10-05 at 16:45 +0200, Martin Kosek wrote:
> > On 10/05/2012 10:59 AM, Martin Kosek wrote:
> > > On 10/04/2012 06:17 PM, Rob Crittenden wrote:
> > >> This changes the way IPA generates CRLs for new installs only.
> > >>
> > >> The first master installed is configured as the CRL generator. An entry is
> > >> added to cn=masters that designates it.
> > >>
> > >> When a replica is installed it queries this entry so it knows where to forward
> > >> CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will
> > >> return not found). It is possible to get a CRL directly from the clone CA via
> > >> http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> > >>
> > >> rob
> >
> > ...
> >
> > > 3) Majorish issue I hit with the actual CRL publishing on our server (F17). I
> > > always get 403 Forbidden error when trying to download CRL from the CRL master:
> > >
> > > # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
> > > --2012-10-05 03:32:58--
> > > https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
> > > Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
> > > Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected.
> > > HTTP request sent, awaiting response... 403 Forbidden
> > > 2012-10-05 03:32:58 ERROR 403: Forbidden.
> > >
> > > I tracked the problem down to too strict permission on /var/lib/pki-ca
> > > directory which is being published by httpd which does not have access to it:
> > >
> > > # ll /var/lib/pki-ca
> > >
> > > drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 03:00 pki-ca
> > >
> > > When I fixed the permission:
> > > # chmod o+x /var/lib/pki-ca/
> > >
> > > I was able to get pass the Forbidden error and actually retrieved the CRL.
> > > Adding Ade on CC list to follow on this permission issue.
> >
> > FYI - I filed a ticket for this issue:
> > https://fedorahosted.org/freeipa/ticket/3144
> >
> > I plan to simply fix permission on /var/lib/pki-ca/ in a similar way we do for
> > /var/lib/pki-ca/publish/
> >
>
> Sorry, but why do you need permissions on /var/lib/pki-ca? Aren't
> permissions on /var/lib/pki-ca/publish sufficient?
Ade,
on unix filesystems you cannot traverse a directory path if you do not
have permission all the way through.
If 'others' can't access /var/lib/pki-ca they will never even reach the
point where they can see that they have access to a subdirectory.
The very minimum permission you need to be able to traverse directories
is to have the 'traverse' (x) bit set. (note that you do not need the
read (r) bit set just to traverse).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list