Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1002639
This is a follow up for #3717.
We have a replica test that is running a command similar to this: ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin=''' This ipa-replica-prepare still seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password. When I manually run this process, I get the following output: [root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d replica-info-ipaqavmc.testrelm.com.gpg | tar xvf - gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected realm_info/ realm_info/configure.jar realm_info/pwdfile.txt realm_info/dscert.p12 realm_info/http_pin.txt realm_info/krb.js realm_info/ra.p12 realm_info/dogtag_directory_port.txt realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.orig realm_info/kerberosauth.xpi realm_info/dogtagcert.p12 realm_info/cacert.p12 realm_info/httpcert.p12 realm_info/preferences.html realm_info/realm_info realm_info/ca.crt [root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123 --ip-address=1.2.3.5 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='' Enter realm_info/httpcert.p12 unlock password: incorrect password for pkcs#12 file realm_info/httpcert.p12
After giving this some thought, I don't think this ticket makes sense. If PKCS!#12 files are provided, their password must be provided as well, there is no way around this. The ticket should say either "Allow PKCS!#12 files with empty password" or "Don't allow PKCS!#12 files in ipa-replica-prepare if IPA CA is configured". I prefer the former, as we already allow installing PKCS!#12 files when IPA CA is configured using ipa-server-certinstall.
I think it is the first, they want empty passwords. We can push back on this, empty passwords on a PKCS#12 file are bad as it contains private keys.
I think the option to provide to prepare should still be there, esp for the DS certificates as that is required to set up replication, and without that the installation won't succeed.
IMO we should follow the "generous on input, strict on output" principle and allow empty passwords in this case.
ipa-3-3:
master:
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)
Login to comment on this ticket.