Require an ipa-ca SAN on 3rd party certs if ACME is enabled #5119
Conversation
rcritten
force-pushed
the
issue_8498
branch
4 times, most recently
from
d3b68b2
to
837fef2
Compare
| @@ -93,6 +131,9 @@ def test_acme_service_not_yet_enabled(self): | |||
| ['curl', '--fail', self.acme_server], | |||
| ok_returncode=22, | |||
| ) | |||
| result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
| assert result.returncode == 0 | |||
There was a problem hiding this comment.
This check can be removed., the return code for status command will be 0 anyways.
There was a problem hiding this comment.
Yes, I suppose any exception is sufficient in case something goes wrong.
| @@ -111,6 +152,10 @@ def test_enable_acme_service(self): | |||
| else: | |||
| raise exc | |||
|
|
|||
| result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
| assert result.returncode == 0 | |||
There was a problem hiding this comment.
This check can be removed., the return code for status command will be 0 anyways.
| @@ -252,3 +298,55 @@ def test_disable_acme_service(self): | |||
| ['curl', '--fail', self.acme_server], | |||
| ok_returncode=22, | |||
| ) | |||
| result = self.master.run_command(['ipa-acme-manage', 'status']) | |||
| assert result.returncode == 0 | |||
There was a problem hiding this comment.
This check can be removed., the return code for status command will be 0 anyways.
| # Enable ACME which should fail since the Apache cert lacks the SAN | ||
| result = self.master.run_command(['ipa-acme-manage', 'enable'], | ||
| raiseonerr=False) | ||
| assert result.returncode == 1 |
There was a problem hiding this comment.
Shall we make ipa-acme-manage enable command more robust in this case? cause return code 1 implies "CA is not installed on this server."
There was a problem hiding this comment.
I'll look into a new return value for this and ipa-server-certinstall for invalid certificates.
There was a problem hiding this comment.
I think I'm going to adjust the return values in ipa-acme-manage 0 is success, 1 is an error, and 2 and 3 replace the current 1/2. ipa-server-certinstall only returns 0 == ok, 1 == error. Since ACME hasn't shipped in an official release IMHO it's fine to change this.
There was a problem hiding this comment.
I'm fine with that change also.
rcritten
force-pushed
the
issue_8498
branch
from
837fef2
to
351f771
Compare
| """Require ipa-ca SAN on replacement web certificates""" | ||
|
|
||
| result = self.master.run_command(['ipa-acme-manage', 'enable']) | ||
| assert result.returncode == 0 |
There was a problem hiding this comment.
This can be removed as raiseonerr=True is set by default.
| assert result.returncode == 1 | ||
|
|
||
| result = self.master.run_command(['ipa-acme-manage', 'disable']) | ||
| assert result.returncode == 0 |
There was a problem hiding this comment.
This can be removed as raiseonerr=True is set by default.
rcritten
force-pushed
the
issue_8498
branch
from
351f771
to
b446090
Compare
| def test_third_party_certs(self): | ||
| """Require ipa-ca SAN on replacement web certificates""" | ||
|
|
||
| result = self.master.run_command(['ipa-acme-manage', 'enable']) |
There was a problem hiding this comment.
variable result is not used.
| result = self.certinstall() | ||
| assert result.returncode == 1 | ||
|
|
||
| result = self.master.run_command(['ipa-acme-manage', 'disable']) |
There was a problem hiding this comment.
variable result is not used.
rcritten
force-pushed
the
issue_8498
branch
from
b446090
to
a50c10d
Compare
|
@frasertweedale do you have any opionions? |
rcritten
added
needs review
|
Marking this as WIP as the status option will be dependent upon #5170 |
| # Enable ACME which should fail since the Apache cert lacks the SAN | ||
| result = self.master.run_command(['ipa-acme-manage', 'enable'], | ||
| raiseonerr=False) | ||
| assert result.returncode == 1 |
There was a problem hiding this comment.
I'm fine with that change also.
rcritten
added
needs review
|
Rebased on top of PR #5170 so we can potentially merge this at or near the same time. |
rcritten
force-pushed
the
issue_8498
branch
3 times, most recently
from
ba6235b
to
ddb3520
Compare
freeipa-pr-ci
added
the
needs rebase
ACME requires an ipa-ca SAN to have a fixed URL to connect to. If the Apache certificate is replaced by a 3rd party cert then it must provide this SAN otherwise it will break ACME. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Traditionally in IPA 0 = success, 1 = error and then specific error messages follow from that. Shift the ipa-acme-manage return codes for "not installed" and "not a CA" up by one. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Test that: 1. With ACME enabled, SAN is required 2. With ACME disabled, SAN is not required Also verify the ipa-acme-manage status command. https://pagure.io/freeipa/issue/8498 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added
prioritized
|
ACK'ing based on @frasertweedale and @mrizwan93 comments |
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
Add a status option to ipa-acme-manage.
https://pagure.io/freeipa/issue/8498
Marking as ipa-next since I'm sure yet if ACME is going to be backported to ipa-4-8.