Title: #769: test_caless: add pkinit option and test it
Please add the `xfail` part to another commit, put appropriate tracker tickets to the commit messages. I believe we should probably file a ticket that `ipa-server-certinstall` should add any intermediate CA certs a server cert is signed with and put that one in the `xfail` description so that we don't have a closed ticket there.
See the full comment at https://github.com/freeipa/freeipa/pull/769#issuecomment-302631220
Title: #758: install: fix CA-less PKINIT
Upgrade from 4.4 to 4.5 during external-CA installation prints error messages, related log:
2017-05-19T07:08:04Z INFO [Setup PKINIT]
2017-05-19T07:08:04Z DEBUG raw: ca_is_enabled(version=u'2.225')
2017-05-19T07:08:04Z DEBUG ca_is_enabled(version=u'2.225')
2017-05-19T07:08:04Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2017-05-19T07:08:09Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)
2017-05-19T07:08:09Z ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE)
2017-05-19T07:08:09Z ERROR Failed to configure PKINIT
2017-05-19T07:08:09Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2017-05-19T07:08:14Z DEBUG certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
2017-05-19T07:08:14Z DEBUG Starting external process
but as you can see, CA is enabled and running.
See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-302628299
On Thu, May 18, 2017 at 07:17:51AM +0200, Jan Cholasta wrote:
> Hi Fraser,
> On 18.5.2017 02:26, Fraser Tweedale wrote:
> > Hi all,
> > I'm going to start work on  soon. This ticket is to add support
> > for specifying the desired template (profile) name or OID to use
> > when installing IPA with AD-CS as the external CA. Currently, the
> > template name is hardcoded to "SubCA", which is the default sub-CA
> > template in AD-CS.
> > https://bugzilla.redhat.com/show_bug.cgi?id=1427105
> > This is actually not much work. The most difficult part is to
> > ensure that the CSR extension is properly populated when renewing.
> > But I first want to have a discussion here about the user
> > experience.
> > My first thought was to have a scheme like:
> > --external-ca-type=ms-ca,MyTemplateName # template name
> > --external-ca-type=ms-ca,123.456.21348.13 # template OID
> > --external-ca-type=ms-ca,123.456.21348.13,101 # template OID + major version no
> > --external-ca-type=ms-ca,123.456.21348.13,101,6 # template OID + major version no + minor version no
> > But because --external-ca-type is a Enum knob, I'm not inclined to
> > extend it.
> > Instead, I think I will add another option for
> > specifying these data, e.g.
> > --external-ca-parameters=MyTemplateName
> > --external-ca-parameters=123.456.21348.13,101,6
> > The interpretation of the parameters shall depend on the external CA
> > type. For 'generic', they are ignored. For 'ms-ca', the
> > aforementioned interpretation is used.
> I would prefer a simple --external-ca-profile option rather than a complex
> --external-ca-parameters "god" option with differing behavior based on CA
> type, as the former will continue to work nicely when external CA install is
> handled using certmonger.
Fair enough. My only (minor) concern is the different terminology
("profile" vs "template"). Also if other kinds of options are
needed in future, we'd need yet another option for that, but we
don't need to worry about that now :)
So I will add --external-ca-profile. Thanks for your feedback.
> > ipa-server-install, ipa-ca-install, and ipa-cacert-manage would
> > learn the new option.
> > Any thoughts/feedback?
> Jan Cholasta