[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

Mon, 02 Jan 2017 22:57:47 -0800 

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
* Dogtag certificates and RA certificate renewal is broken:
  ```
        ca-error: Server at 
"https://vm-226.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca/profileProcess"; 
replied: 1: You did not provide a valid certificate for this operation
  ```
  This is because certmonger's 
`/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit` expects an `ipaCert` in 
`/etc/httpd/alias`.

* CA-less server install fails:
  ```
    [13/21]: publish CA cert
    [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias 
-L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 
255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
Command '/usr/bin/certutil -d /etc/httpd/alias -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
  ```
  2017-01-03T05:21:43Z DEBUG Starting external process
  2017-01-03T05:21:43Z DEBUG args=/usr/bin/certutil -d /var/lib/ipa/radb -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a
  2017-01-03T05:21:43Z DEBUG Process finished, return code=255
  2017-01-03T05:21:43Z DEBUG stdout=
  2017-01-03T05:21:43Z DEBUG stderr=certutil: Could not find cert: 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA
  : PR_FILE_NOT_FOUND_ERROR: File not found
  ```
  If I work around the above, it fails further down with:
  ```
  trying https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json
  Forwarding 'schema' to json server 
'https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json'
  No valid Negotiate header in server response
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
Configuration of client side components failed!
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270059781

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to