freeipa

Clone
Source Code
GIT

#3897 ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1002639

This is a follow up for #3717.

We have a replica test that is running a command similar to this:

ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='''

This ipa-replica-prepare still  seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password.

When I manually run this process, I get the following output:

[root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d
replica-info-ipaqavmc.testrelm.com.gpg | tar xvf -
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/configure.jar
realm_info/pwdfile.txt
realm_info/dscert.p12
realm_info/http_pin.txt
realm_info/krb.js
realm_info/ra.p12
realm_info/dogtag_directory_port.txt
realm_info/dirsrv_pin.txt
realm_info/pwdfile.txt.orig
realm_info/kerberosauth.xpi
realm_info/dogtagcert.p12
realm_info/cacert.p12
realm_info/httpcert.p12
realm_info/preferences.html
realm_info/realm_info
realm_info/ca.crt
[root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123
--ip-address=1.2.3.5 ipaqavmc.testrelm.com
--dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin=''
--http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Enter realm_info/httpcert.p12 unlock password:

incorrect password for pkcs#12 file realm_info/httpcert.p12

After giving this some thought, I don't think this ticket makes sense. If PKCS!#12 files are provided, their password must be provided as well, there is no way around this. The ticket should say either "Allow PKCS!#12 files with empty password" or "Don't allow PKCS!#12 files in ipa-replica-prepare if IPA CA is configured". I prefer the former, as we already allow installing PKCS!#12 files when IPA CA is configured using ipa-server-certinstall.

I think it is the first, they want empty passwords. We can push back on this, empty passwords on a PKCS#12 file are bad as it contains private keys.

I think the option to provide to prepare should still be there, esp for the DS certificates as that is required to set up replication, and without that the installation won't succeed.

IMO we should follow the "generous on input, strict on output" principle and allow empty passwords in this case.

ipa-3-3:

  • c6113ab Add tests for installing with empty PKCS#12 password
  • 951265d Allow PKCS#12 files with empty password in install tools.
  • c2b0f81 Read passwords from stdin when importing PKCS#12 files with pk12util.

master:

  • 3a4a745 Add tests for installing with empty PKCS#12 password
  • 194556b Allow PKCS#12 files with empty password in install tools.
  • c123264 Read passwords from stdin when importing PKCS#12 files with pk12util.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1002639
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.