[Freeipa-users] Reports and questions
Rob Crittenden
rcritten at redhat.com
Mon May 3 15:38:38 UTC 2010
Marc Schlinger wrote:
> Hello,
>
> I tried to install freeipa with certs management. I did manage after a
> problem.
>
> 1°) The installation was unable to finished on a french localized system.
> The error at stage [3/15]: configuring certificate server instance was
> something like
>
> java.utils.MissingResourceException can't find bundle for base name
> LogMessages, locale fr_FR.UTF-8
> full log at then end
>
> It's a dogtag error but since I had it while installing freeipa, I
> report it to you.
>
> Finally, for the installation i used a fresh fedora 12 with en_US.UTF-8
> locales, rpms version was 1.9.0GIT3620135-0.fc12,
> and I activate the testing repos as advised in this thread:
> [Freeipa-users] call implemented methods via xml-rpc.
Yes, I have this on my list to try to work around. I'm going to set the
en_US locale while we're installing dogtag, I just don't know what this
will do post-installation, if things will again blow up.
I opened a new bug on this against dogtag,
https://bugzilla.redhat.com/show_bug.cgi?id=588375
>
> I tried to play a little with certificates mostly to replace puppet
> certificate management by the freeipa ones
> 2°) I wasn't able to do a ipa cert-request
> --principal=my/test.domain.com my.csr
> I had this error:
> ipa: ERROR: Certificate operation cannot be completed: Failure decoding
> Certificate Signing Request
>
> It seems that it was a forgetten line in ipalib/pkcs10.py
> here's the patch:
>
> --- /tmp/pkcs10.py 2010-05-03 16:02:22.929018799 +0200
> +++ ipalib/pkcs10.py 2010-05-03 16:02:09.855940583 +0200
> @@ -52,6 +52,7 @@
> namedtype.NamedType('universalString',
> char.UniversalString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
> MAX))),
> namedtype.NamedType('utf8String',
> char.UTF8String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
> MAX))),
> namedtype.NamedType('bmpString',
> char.BMPString().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
> MAX))),
> + namedtype.NamedType('ia5string',
> char.IA5String().subtype(subtypeSpec=constraint.ValueSizeConstraint(1,
> MAX))),
> )
Hmm. The python-pyasn1 x509.py sample has ia5string defined as well but
it isn't in RFC 3280 as a supported type for DirectoryString. I can go
ahead and add it in. Can you send me a certificate that is not being
parsed by the current pkcs10 module?
> that's all for the report, now I have a question:
>
> Is/Will freeipa integrate smart token authentication?
> In this page : http://freeipa.org/page/Certificate_Management
> You said that "There is no requirement to provision user certificates.".
> Smart key authentication require user certificates.
We aren't planning on supporting client certificates for v2. We may add
support at some point but it hasn't been planned, designed, etc. Since
we use dogtag if/when we implement support for client certs then tokens
should be part of that.
rob
More information about the Freeipa-users
mailing list