New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require an ipa-ca SAN on 3rd party certs if ACME is enabled #5119
Conversation
d3b68b2
to
837fef2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @rcritten ,
Please find comments inline.
@@ -93,6 +131,9 @@ def test_acme_service_not_yet_enabled(self): | |||
['curl', '--fail', self.acme_server], | |||
ok_returncode=22, | |||
) | |||
result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
assert result.returncode == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check can be removed., the return code for status command will be 0
anyways.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I suppose any exception is sufficient in case something goes wrong.
@@ -111,6 +152,10 @@ def test_enable_acme_service(self): | |||
else: | |||
raise exc | |||
|
|||
result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
assert result.returncode == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check can be removed., the return code for status command will be 0 anyways.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -252,3 +298,55 @@ def test_disable_acme_service(self): | |||
['curl', '--fail', self.acme_server], | |||
ok_returncode=22, | |||
) | |||
result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
assert result.returncode == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check can be removed., the return code for status command will be 0 anyways.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
# Enable ACME which should fail since the Apache cert lacks the SAN | ||
result = self.master.run_command(['ipa-acme-manage', 'enable'], | ||
raiseonerr=False) | ||
assert result.returncode == 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we make ipa-acme-manage enable
command more robust in this case? cause return code 1 implies "CA is not installed on this server."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll look into a new return value for this and ipa-server-certinstall for invalid certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm going to adjust the return values in ipa-acme-manage 0 is success, 1 is an error, and 2 and 3 replace the current 1/2. ipa-server-certinstall only returns 0 == ok, 1 == error. Since ACME hasn't shipped in an official release IMHO it's fine to change this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with that change also.
837fef2
to
351f771
Compare
"""Require ipa-ca SAN on replacement web certificates""" | ||
|
||
result = self.master.run_command(['ipa-acme-manage', 'enable']) | ||
assert result.returncode == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be removed as raiseonerr=True
is set by default.
assert result.returncode == 1 | ||
|
||
result = self.master.run_command(['ipa-acme-manage', 'disable']) | ||
assert result.returncode == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be removed as raiseonerr=True
is set by default.
351f771
to
b446090
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nitpick, else LGTM.
def test_third_party_certs(self): | ||
"""Require ipa-ca SAN on replacement web certificates""" | ||
|
||
result = self.master.run_command(['ipa-acme-manage', 'enable']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
variable result
is not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
result = self.certinstall() | ||
assert result.returncode == 1 | ||
|
||
result = self.master.run_command(['ipa-acme-manage', 'disable']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
variable result
is not used.
b446090
to
a50c10d
Compare
@frasertweedale do you have any opionions? |
Marking this as WIP as the status option will be dependent upon #5170 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't tested but the approach seems good to me.
# Enable ACME which should fail since the Apache cert lacks the SAN | ||
result = self.master.run_command(['ipa-acme-manage', 'enable'], | ||
raiseonerr=False) | ||
assert result.returncode == 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with that change also.
Rebased on top of PR #5170 so we can potentially merge this at or near the same time. |
ba6235b
to
ddb3520
Compare
ACME requires an ipa-ca SAN to have a fixed URL to connect to. If the Apache certificate is replaced by a 3rd party cert then it must provide this SAN otherwise it will break ACME. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Traditionally in IPA 0 = success, 1 = error and then specific error messages follow from that. Shift the ipa-acme-manage return codes for "not installed" and "not a CA" up by one. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Test that: 1. With ACME enabled, SAN is required 2. With ACME disabled, SAN is not required Also verify the ipa-acme-manage status command. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
ACK'ing based on @frasertweedale and @mrizwan93 comments |
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
Add a status option to ipa-acme-manage.
https://pagure.io/freeipa/issue/8498
Marking as ipa-next since I'm sure yet if ACME is going to be backported to ipa-4-8.