Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor installer code requesting certificates #219

Closed
wants to merge 2 commits into from
Closed

Refactor installer code requesting certificates #219

wants to merge 2 commits into from

Conversation

flo-renaud
Copy link
Contributor

@flo-renaud flo-renaud commented Nov 9, 2016
edited by ghost

With this PR, the certificates requested during server installation are now consistently obtained through certmonger (applies to HTTP/LDAP and renew agent cert).

Part of the refactoring effort, certificates sub-effort.
Reviewed at https://github.com/dkupka/freeipa/pull/2

https://fedorahosted.org/freeipa/ticket/6433

@flo-renaud
Use autobind instead of host keytab authentication in dogtag-ipa-ca-r…
0c7835d 
…enew-agent

This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.
@flo-renaud
Refactor installer code requesting certificates
d927c63 
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433
@frasertweedale
Copy link
Contributor

frasertweedale commented Nov 10, 2016
edited

Although there are no conflicts with master, there are problems when the patches are rebased. Server installation (CA-ful) fails when requesting the RA certificate.

2016-11-10T04:58:02Z DEBUG   [16/30]: requesting RA certificate from CA
2016-11-10T04:58:02Z DEBUG Starting external process
2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpyozdnw
2016-11-10T04:58:02Z DEBUG Process finished, return code=0
2016-11-10T04:58:02Z DEBUG stdout=
2016-11-10T04:58:02Z DEBUG stderr=
2016-11-10T04:58:03Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2016-11-10T04:58:08Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:13Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:18Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:23Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:28Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:33Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:38Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:43Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:48Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:53Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:58Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:59:03Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 830, in __request_ra_certificate
    post_command='renew_ra_cert')
  File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in request_and_wait_for_cert
    state = wait_for_request(reqId, timeout=60)
  File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in wait_for_request
    raise RuntimeError("request timed out")
RuntimeError: request timed out

@flo-renaud
Copy link
Contributor Author

Hi Fraser,
can you check if the renewal lock was released after the last uninstallation? The file /var/run/ipa/renewal.lock should display something like

cat /var/run/ipa/renewal.lock
[lock]
locked = 0

If it is showing instead that the lock is taken, then the install will fail on timeout.
I wonder whether I should clean this file at the beginning of the installation, to avoid this specific issue.

@HonzaCholasta
Copy link
Contributor

Can we fix this in a separate PR to unblock the merge of this one?

@frasertweedale
Copy link
Contributor

@jcholast sure, especially if it is related to renewal locks or some other tangential matter.

( @flo-renaud I have not yet confirmed the cause; will get to it tomorrow )

@frasertweedale
Copy link
Contributor

Well I couldn't wait 'til tomorrow so I checked just then. I could not reproduce the issue :)

@flo-renaud
Copy link
Contributor Author

Thanks Fraser!
The patch for renewal lock file deletion is available at
#229

@HonzaCholasta HonzaCholasta added the ack Pull Request approved, can be merged label Nov 10, 2016
@ghost
Copy link

ghost commented Nov 10, 2016

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7462adec13c5b25b6868d2863dc38062c97d0ff7
https://fedorahosted.org/freeipa/changeset/808b1436b4158cb6f926ac2b5bd0979df6ea7e9f

@ghost ghost added the pushed Pull Request has already been pushed label Nov 10, 2016
@ghost ghost closed this Nov 10, 2016
@flo-renaud flo-renaud deleted the refactory branch November 10, 2016 13:40
@HonzaCholasta
Copy link
Contributor

Turns out the request does not time out in certmonger, but the 60 seconds wait in request_and_wait_for_cert() it too short.

@flo-renaud
Copy link
Contributor Author

I updated the patch for renewal lock with a new fix. The timeout needs to be increased, but the lock may also happen because the renewal scripts are run by certmonger during the cert request and should not (for instance for http cert the renewal script restarts httpd while the service is not completely configured).

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@flo-renaud @frasertweedale @HonzaCholasta