Don't error in DogtagCertsConnectivityCheck with external CAs #286

rcritten · 2023-03-27T20:46:42Z

The serial number of externally-signed CA's were being checked using ipa-cert-find which invariably would return a not found error.

Instead return SUCCESS to effectively skip the check.

Fixes: #285

flo-renaud

Hi @rcritten
if IPA is installed with embedded CA, the connectivity check can use the RA cert in all the cases (self-signed or externally signed CA), as this cert always exists and can be found with PKI API.

rcritten · 2023-04-07T12:49:29Z

Excellent observation! Implemented.

flo-renaud

Hi @rcritten
thanks for the update. Minor nitpicks, not related to this patch but that could be fixed with it:

line 141, the message is missing a closing }
lines 126, 132 and 138, we could replace the key 'cert_show_1' with 'cert_show_ra'

I tested the following scenarios with an externally-signed CA:

missing RA cert file
RA cert file contains a cert inconsistent with what is stored in LDAP
pki stopped
All the above issues were properly reported.

src/ipahealthcheck/dogtag/ca.py

The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>

rcritten · 2023-07-18T14:21:39Z

thanks for the update. Minor nitpicks, not related to this patch but that could be fixed with it:
* line 141, the message is missing a closing }

Fixed.

* lines 126, 132 and 138, we could replace the key 'cert_show_1' with 'cert_show_ra'

Done. I modified the test expectations as well, including the typical serial number for the RA (it doesn't really matter in the end but non-zero is more obvious)

flo-renaud

@rcritten
thanks for the update, works for me. I tested the following scenarios with an externally-signed CA:

missing RA cert file
RA cert file contains a cert inconsistent with what is stored in LDAP
pki stopped

All the above issues were properly reported.

rcritten mentioned this pull request Mar 27, 2023

error when the IPA is intialised with an extern CA #285

Closed

flo-renaud reviewed Apr 7, 2023

View reviewed changes

rcritten force-pushed the issue_285 branch from f868bcc to dbe0448 Compare April 7, 2023 12:49

flo-renaud reviewed Apr 17, 2023

View reviewed changes

src/ipahealthcheck/dogtag/ca.py Outdated Show resolved Hide resolved

rcritten force-pushed the issue_285 branch from dbe0448 to ed4a370 Compare July 18, 2023 14:21

flo-renaud approved these changes Jul 19, 2023

View reviewed changes

flo-renaud added the ack label Jul 19, 2023

rcritten merged commit 29855ec into freeipa:master Jul 19, 2023
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't error in DogtagCertsConnectivityCheck with external CAs #286

Don't error in DogtagCertsConnectivityCheck with external CAs #286

rcritten commented Mar 27, 2023

flo-renaud left a comment

rcritten commented Apr 7, 2023

flo-renaud left a comment

rcritten commented Jul 18, 2023

flo-renaud left a comment

Don't error in DogtagCertsConnectivityCheck with external CAs #286

Don't error in DogtagCertsConnectivityCheck with external CAs #286

Conversation

rcritten commented Mar 27, 2023

flo-renaud left a comment

Choose a reason for hiding this comment

rcritten commented Apr 7, 2023

flo-renaud left a comment

Choose a reason for hiding this comment

rcritten commented Jul 18, 2023

flo-renaud left a comment

Choose a reason for hiding this comment