Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RA cert import during DL0 replication #721

Closed
wants to merge 1 commit into from
Closed

Fix RA cert import during DL0 replication #721

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Apr 19, 2017
edited by HonzaCholasta

Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.

https://pagure.io/freeipa/issue/6878

HonzaCholasta
HonzaCholasta reviewed Apr 19, 2017
View reviewed changes
ipaserver/install/cainstance.py Outdated
@@ -400,7 +400,8 @@ def configure_instance(self, host_name, dm_password, admin_password,
self.step("Importing RA key", self.__import_ra_key)
else:
self.step("importing RA certificate from PKCS #12 file",
lambda: self.import_ra_cert(ra_p12))
lambda: self.import_ra_cert(ra_p12,
self.dm_password))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please put this into a __import_ra_cert helper method so we get rid of this ugly lambda expression?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

HonzaCholasta
HonzaCholasta reviewed Apr 19, 2017
View reviewed changes
ipaserver/install/cainstance.py Outdated
if password is not None:
pwdfile_fd, pwdfile_name = tempfile.mkstemp()
os.write(pwdfile_fd, password)
os.close(pwdfile_fd)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can / should use ipautil.write_tmp_file here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do, did not realize we have such a thing, thanks.

HonzaCholasta
HonzaCholasta reviewed Apr 19, 2017
View reviewed changes
ipaserver/install/cainstance.py Outdated
"""
Cloned RAs will use the same RA agent cert as the master so we
need to import from a PKCS#12 file.

Used when setting up replication
"""
pwdarg = 'pass:'
if password is not None:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the empty password special cased here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We won't need this in the end, this should be reworked.

@HonzaCholasta
Copy link
Contributor

ipa-replica-install fails for me:

  [2/2]: importing RA certificate from PKCS #12 file
  [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

ipareplica-install.log says:

2017-04-19T11:28:53Z DEBUG   [2/2]: importing RA certificate from PKCS #12 file
2017-04-19T11:28:53Z DEBUG Starting external process
2017-04-19T11:28:53Z DEBUG args=/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru
2017-04-19T11:28:53Z DEBUG Process finished, return code=1
2017-04-19T11:28:53Z DEBUG stdout=
2017-04-19T11:28:53Z DEBUG stderr=Mac verify error: invalid password?

🤷‍

@HonzaCholasta
Copy link
Contributor

... because you need to apply the same fix to ReplicaPrepare.export_ra_pkcs12 as well.

@stlaz
Copy link
Contributor Author

stlaz commented Apr 19, 2017

Silly me 🙄

@stlaz
Fix RA cert import during DL0 replication
2d567c3 
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.

https://pagure.io/freeipa/issue/6878
@HonzaCholasta HonzaCholasta added the ack Pull Request approved, can be merged label Apr 19, 2017
@HonzaCholasta
Copy link
Contributor

master:

  • 6f0a622 Fix RA cert import during DL0 replication

ipa-4-5:

  • 3f70baf Fix RA cert import during DL0 replication

@HonzaCholasta HonzaCholasta added the pushed Pull Request has already been pushed label Apr 19, 2017
@stlaz stlaz deleted the dom0_replfix branch July 7, 2017 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HonzaCholasta HonzaCholasta HonzaCholasta left review comments

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@stlaz @HonzaCholasta