[Freeipa-devel] [PATCH] 1059 single CRL generator
Rob Crittenden
rcritten at redhat.com
Wed Oct 10 15:29:23 UTC 2012
Martin Kosek wrote:
> On 10/10/2012 04:12 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 10/10/2012 12:46 AM, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On 10/09/2012 04:43 PM, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> On 10/04/2012 06:17 PM, Rob Crittenden wrote:
>>>>>>>>> This changes the way IPA generates CRLs for new installs only.
>>>>>>>>>
>>>>>>>>> The first master installed is configured as the CRL generator. An
>>>>>>>>> entry is
>>>>>>>>> added to cn=masters that designates it.
>>>>>>>>>
>>>>>>>>> When a replica is installed it queries this entry so it knows where
>>>>>>>>> to forward
>>>>>>>>> CRL requests. CRL files are not available on cloned CAs (so
>>>>>>>>> /ipa/crl will
>>>>>>>>> return not found). It is possible to get a CRL directly from the
>>>>>>>>> clone CA via
>>>>>>>>> http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> I tested new IPA server + replica with your patch and the CRL was
>>>>>>>> now generated
>>>>>>>> only on the CRL master. I also tried OCSP (though this may not be
>>>>>>>> relevant) and
>>>>>>>> it worked for me too.
>>>>>>>>
>>>>>>>> 1) I do not understand the following block in set_crl_master(self,
>>>>>>>> suffix):
>>>>>>>>
>>>>>>>> + try:
>>>>>>>> + self.admin_conn.addEntry(entry)
>>>>>>>> + except ldap.ALREADY_EXISTS, e:
>>>>>>>> + root_logger.debug("failed to set CA as CRL generator")
>>>>>>>> + raise e
>>>>>>>>
>>>>>>>> - when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL
>>>>>>>> is set,
>>>>>>>> right?
>>>>>>>> - AFAIK, addEntry should return our errors, i.e. errors.DuplicateEntry
>>>>>>>> - s/raise e/raise/
>>>>>>>>
>>>>>>>> I think you may have wanted to rather catch for more general LDAP
>>>>>>>> error and
>>>>>>>> then report a real error and not just a debug note.
>>>>>>>>
>>>>>>>> 2) In get_crl_master:
>>>>>>>>
>>>>>>>> + except Exception, e:
>>>>>>>> + root_logger.debug("Could not connect to the Directory
>>>>>>>> Server on
>>>>>>>> %s: %s" % (master_host, str(e)))
>>>>>>>> + raise e
>>>>>>>>
>>>>>>>> s/raise e/raise/
>>>>>>>>
>>>>>>>> + except errors.NotFound, e:
>>>>>>>> + root_logger.debug("failed to find CA CRL generator")
>>>>>>>> + self.crl_master = None
>>>>>>>>
>>>>>>>> - e is actually not used, "except errors.NotFound" would be enough
>>>>>>>>
>>>>>>>> 3) Majorish issue I hit with the actual CRL publishing on our server
>>>>>>>> (F17). I
>>>>>>>> always get 403 Forbidden error when trying to download CRL from the
>>>>>>>> CRL master:
>>>>>>>>
>>>>>>>> # wget --ca-certificate /etc/ipa/ca.crt
>>>>>>>> https://`hostname`/ipa/crl/MasterCRL.bin
>>>>>>>> --2012-10-05 03:32:58--
>>>>>>>> https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
>>>>>>>> Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
>>>>>>>> Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443...
>>>>>>>> connected.
>>>>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>>>>> 2012-10-05 03:32:58 ERROR 403: Forbidden.
>>>>>>>>
>>>>>>>> I tracked the problem down to too strict permission on /var/lib/pki-ca
>>>>>>>> directory which is being published by httpd which does not have
>>>>>>>> access to it:
>>>>>>>>
>>>>>>>> # ll /var/lib/pki-ca
>>>>>>>>
>>>>>>>> drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 03:00 pki-ca
>>>>>>>>
>>>>>>>> When I fixed the permission:
>>>>>>>> # chmod o+x /var/lib/pki-ca/
>>>>>>>>
>>>>>>>> I was able to get pass the Forbidden error and actually retrieved
>>>>>>>> the CRL.
>>>>>>>> Adding Ade on CC list to follow on this permission issue.
>>>>>>>>
>>>>>>>>
>>>>>>>> I was thinking about usability of this new approach, we may want to
>>>>>>>> make user
>>>>>>>> life easier in a perspective of CRL master managing. I have following
>>>>>>>> enhancements in mind:
>>>>>>>>
>>>>>>>> - mark CRL master in ipa-replica-manage list, or
>>>>>>>> ipa-csreplica-manage list:
>>>>>>>>
>>>>>>>> # ipa-csreplica-manage list
>>>>>>>> Directory Manager password:
>>>>>>>>
>>>>>>>> vm-065.idm.lab.bos.redhat.com: master [CRL]
>>>>>>>> vm-120.idm.lab.bos.redhat.com: master
>>>>>>>>
>>>>>>>> - when removing master with CRL by "ipa-replica-manage del" we
>>>>>>>> should warn user
>>>>>>>> and inform him what he should do next to amend the situation. I am
>>>>>>>> thinking
>>>>>>>> about 2 new commands for ipa-csreplica-manage:
>>>>>>>>
>>>>>>>> * ipa-csreplica-manage crl-promote
>>>>>>>> - promote current master as the new CRL master, enable CRL
>>>>>>>> generation in
>>>>>>>> CS.cfg, mark master as the new CRL master in cn=masters
>>>>>>>> * ipa-csreplica-manage crl-update
>>>>>>>> - update CS.cfg of current CA replica and point
>>>>>>>> master.ca.agent.* to current
>>>>>>>> CRL master
>>>>>>>>
>>>>>>>> I can work on those enhancements if we agree on them.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>
>>>>>>> Andrew provided some feedback out-of-band and my solution was overly
>>>>>>> complex.
>>>>>>> Here is a much simpler patch which does away with all the hand-waving
>>>>>>> around
>>>>>>> knowing who the CRL generator is.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> This looks OK code-wise, I will wait for dogtag guys to confirm that
>>>>>> this is
>>>>>> the right approach.
>>>>>>
>>>>>> Btw. I think we may want to file a RFE to implement some command to
>>>>>> promote a
>>>>>> replica to CRL master (like "ipa-csreplica-manage crl-promote" proposed
>>>>>> earlier). Users may want to promote a replica when the master crashes
>>>>>> or is to
>>>>>> be replaced. Some way to migrate CRL list (if not replicated already)
>>>>>> to the
>>>>>> promoted replica would also be needed.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Andrew suggested I specify that we do not monitor cloned revocations on
>>>>> the server not generating CRLs, so I added that.
>>>>>
>>>>> The last question is what we do about redirecting users on the
>>>>> non-generating masters.
>>>>>
>>>>> We can do it easily with a line like this in Apache:
>>>>>
>>>>> RewriteRule ^/ipa/crl/MasterCRL.bin
>>>>> https://$FQDN:9444/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>>>> [L,R=301,NC]
>>>>>
>>>>> The tricky part is writing this properly. The CA can be added
>>>>> post-install so I don't think simply adding this to ipa-rewrite.conf
>>>>> will work well. Is adding another template configuration file for Apache
>>>>> overkill?
>>>>>
>>>>> rob
>>>>
>>>> Here is my WIP for auto-configuring redirect on clones. It works ok for me and
>>>> isn't too invasive IMHO. The basic idea is to allow proxying of the getCRL
>>>> servlet and redirect to that on requests to the clone server.
>>>>
>>>> Browsing won't work, but you can fetch the MasterCRL.bin with:
>>>>
>>>> # wget --ca-certificate=/etc/ipa/ca.crt
>>>> http://replica.example.com/ipa/crl/MasterCRL.bin
>>>>
>>>> diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
>>>> index 20c0921..8c4f3a9 100644
>>>> --- a/install/conf/ipa-pki-proxy.conf
>>>> +++ b/install/conf/ipa-pki-proxy.conf
>>>> @@ -3,7 +3,7 @@
>>>> ProxyRequests Off
>>>>
>>>> # matches for ee port
>>>> -<LocationMatch
>>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
>>>>
>>>>
>>>> +<LocationMatch
>>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
>>>>
>>>>
>>>> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
>>>> NSSVerifyClient none
>>>> ProxyPassMatch ajp://localhost:$DOGTAG_PORT
>>>> @@ -25,3 +25,6 @@ ProxyRequests Off
>>>> ProxyPassMatch ajp://localhost:$DOGTAG_PORT
>>>> ProxyPassReverse ajp://localhost:$DOGTAG_PORT
>>>> </LocationMatch>
>>>> +
>>>> +# Only enable this on servers that are not generating a CRL
>>>> +${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin
>>>> https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
>>>> diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
>>>> index 0ac895e..aabbba3 100644
>>>> --- a/ipaserver/install/cainstance.py
>>>> +++ b/ipaserver/install/cainstance.py
>>>> @@ -1304,7 +1304,11 @@ class CAInstance(service.Service):
>>>>
>>>> def __http_proxy(self):
>>>> template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
>>>> - sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
>>>> + sub_dict = dict(
>>>> + DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
>>>> + CLONE='' if self.clone else '#',
>>>> + FQDN=self.fqdn,
>>>> + )
>>>> template = ipautil.template_file(template_filename, sub_dict)
>>>> with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
>>>> fd.write(template)
>>>
>>> The approach looks OK, just please do not forget to also add CLONE to sub_dict
>>> in ipa-upgradeconfig, it just crashed when I was testing the change:
>>>
>>> CRL tree already moved
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 614, in run_script
>>> return_value = main_function()
>>>
>>> File "/sbin/ipa-upgradeconfig", line 601, in main
>>> upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR
>>> + "ipa-pki-proxy.conf", add=True)
>>>
>>> File "/sbin/ipa-upgradeconfig", line 187, in upgrade
>>> update_conf(sub_dict, filename, template)
>>>
>>> File "/sbin/ipa-upgradeconfig", line 110, in update_conf
>>> template = ipautil.template_file(template_filename, sub_dict)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 228, in
>>> template_file
>>> return template_str(f.read(), vars)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 215, in
>>> template_str
>>> val = string.Template(txt).substitute(vars)
>>>
>>> File "/usr/lib64/python2.7/string.py", line 172, in substitute
>>> return self.pattern.sub(convert, self.template)
>>>
>>> File "/usr/lib64/python2.7/string.py", line 162, in convert
>>> val = mapping[named]
>>>
>>> The ipa-upgradeconfig command failed, exception: KeyError: 'CLONE'
>>> Unexpected error
>>> KeyError: 'CLONE'
>>>
>>> Martin
>>>
>>
>> Fixed and merged into a single patch.
>>
>> rob
>
> This will crash when upgrading a replica without a CA or server with self-sign:
>
> +
> + crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
> + 'ca.crl.MasterCRL.enableCRLUpdates', '=')
>
> This line can be run only when CA is actually configured.
>
> Martin
>
Right you are. Fixed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1059-5-crl.patch
Type: text/x-diff
Size: 5049 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121010/5ef4f6e2/attachment.bin>
More information about the Freeipa-devel
mailing list