[Freeipa-devel] [PATCH] 123 Use http instead of https for OCSP and CRL URLs in IPA certificate profile

Simo Sorce simo at redhat.com
Tue Apr 9 14:19:23 UTC 2013


On Tue, 2013-04-09 at 16:02 +0200, Martin Kosek wrote:
> On 04/08/2013 05:09 PM, Martin Kosek wrote:
> > On 04/08/2013 03:47 PM, Dmitri Pal wrote:
> >> On 04/08/2013 08:42 AM, Martin Kosek wrote:
> >>> On 04/08/2013 10:48 AM, Jan Cholasta wrote:
> >>>> On 8.4.2013 10:47, Jan Cholasta wrote:
> >>>>> Hi,
> >>>>>
> >>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
> >>>>>
> >>>>> Honza
> >>>>>
> >>>> Re-sending with correct subject.
> >>>>
> >>> I tested the change both for upgrades and for fresh installs and it worked fine
> >>> both cases, even when testing with Firefox enforcing mode.
> >>>
> >>> So far, as the biggest issue in current process I see NSS not being able to
> >>> fallback to other defined OCSP responder (I tested with Firefox 20). This way,
> >>> Firefox will fail validating the FreeIPA site when the first tested OCSP
> >>> responder is not available (e.g. the original IPA CA signing the http cert, or
> >>> an `ipa-ca.$domain` host that is currently not up).
> >>
> >> Have we filed a ticket with FF?
> > 
> > AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for NSS:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=797815
> > 
> > Rob seems to have more context about this bug background.
> > 
> > Martin
> >
> 
> We may want to wait with pushing this patch until we get some response in the
> NSS Bugzilla above. If our request is rejected, we may be forced to use just a
> single CRL/OCSP (which would be probably the general one) and thus supersede
> patch 123.

Well it will have to depend on when you create certs.
The first IPA server own cert should probably point at the ipa server
name. Then we should warn in bold letters that the user should create
such and such a DNS name if they did not let IPA handle DNS.

If we can handle DNS then any other use can refer to the common name
which can be an A name with multiple entries (each IPA CA server should
be listed there by default and the record should be changed at ca
replicas install/decommission time, however we should allow admins to
add/remove names as well manually in case they want to add proxies otr
conceal some of the CA servers.

We may also want to change the RA client code to use that record to
fetch certs.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list