Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa-replica-prepare fix #574

Closed
wants to merge 2 commits into from
Closed

ipa-replica-prepare fix #574

wants to merge 2 commits into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Mar 13, 2017
edited by MartinBasti

A regression was introduced in 0a54fac. Fix + don't fail if either file was not created during server-cert creation.

@stlaz
Fix ipa-replica-prepare server-cert creation
21a2c34 
Fixes an issue introduced in 0a54fac, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755
MartinBasti
MartinBasti reviewed Mar 13, 2017
View reviewed changes
ipaserver/install/certs.py Outdated
for fname in (self.certreq_fname, self.certder_fname):
try:
os.unlink(fname)
except Exception:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shame! Too broad exception, use OSError instead

@stlaz
Don't fail more if cert req/cert creation failed
5ad5230 
This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755
@MartinBasti MartinBasti self-assigned this Mar 13, 2017
@MartinBasti
Copy link
Contributor

MartinBasti commented Mar 13, 2017
edited

Can be this caused by your patch?

error exporting Server certificate: Command '/usr/bin/openssl pkcs12 -export -name KDC-Cert -in /tmp/tmpmS5rCkipa/realm_info/kdc.pem -out /tmp/tmpmS5rCkipa/realm_info/pkinitcert.p12 -passout file:/tmp/tmpmS5rCkipa/realm_info/pkinit_pin.txt' returned non-zero exit status 1

debug

ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/openssl pkcs12 -export -name KDC-Cert -in /tmp/tmpoPdGSUipa/realm_info/kdc.pem -out /tmp/tmpoPdGSUipa/realm_info/pkinitcert.p12 -passout file:/tmp/tmpoPdGSUipa/realm_info/pkinit_pin.txt
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=Error opening input file /tmp/tmpoPdGSUipa/realm_info/kdc.pem
/tmp/tmpoPdGSUipa/realm_info/kdc.pem: No such file or directory

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: error exporting Server certificate: Command '/usr/bin/openssl pkcs12 -export -name KDC-Cert -in /tmp/tmpoPdGSUipa/realm_info/kdc.pem -out /tmp/tmpoPdGSUipa/realm_info/pkinitcert.p12 -passout file:/tmp/tmpoPdGSUipa/realm_info/pkinit_pin.txt' returned non-zero exit status 1

@stlaz
Copy link
Contributor Author

stlaz commented Mar 13, 2017

Very unlikely but I'll investigate.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 13, 2017

My wild guess is that it might be caused by ba3c201 but not by this patchset as it does not touch it.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 14, 2017
edited

Actually, this is most probably a privilege-separation issue since "kdc.pem" which we try to read here does not exist ever since.

edit: Scratch that, I have no idea whether this ever worked.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 14, 2017

@MartinBasti should be fixed in #580

@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label Mar 14, 2017
@MartinBasti
Copy link
Contributor

master:

  • 992e6ec Fix ipa-replica-prepare server-cert creation
  • 8980f40 Don't fail more if cert req/cert creation failed

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Mar 14, 2017
@stlaz stlaz deleted the prepare_fix branch September 11, 2017 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MartinBasti MartinBasti MartinBasti left review comments

Assignees

@MartinBasti MartinBasti

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@stlaz @MartinBasti