pkispawn seems to be work fine but it generates some warnings with python-urllib3-1.10 which is the default on Fedora 22.
$ pkispawn ... ... /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)
See https://urllib3.readthedocs.org/en/latest/security.html#insecurerequestwarning
Per 10.2.3 Triage meeting of 02/26/2015: leave here until we know which release is on F22
This issue was encountered on a development build of Dogtag 10.2.2 on an x86_64-based Fedora 21 as well.
Per CS/DS meeting of 03/02/2015: 10.3
As with most security related issue, 'it works' doesn't imply that an operation is secure. The warning means that requests is unable to perform proper X.509 cert validation. The TLS/SSL connection is vulnerable to MitM attacks.
We have three options to fix the issue:
- Require Python 2.7.10 and newer. - Require PyOpenSSL for Python < 2.7.10 and configure urllib3 to use PyOpenSSL - Use NSS instead of OpenSSL, #1360 and https://github.com/tiran/requests_nss
Another option is to perform the proper cert validation by installing the cert chain for pkispawn. The admin could obtain the cert chain manually prior to installation, or the client could download it on the fly and ask the admin to trust it. If the pkispawn is connecting to a local Tomcat instance it just created, it might be able to obtain the cert chain directly from the file system.
The warning is not just about missing trust store. IIRC requests and urllib3 can't perform SNI and host name matching because the features are not available in Python 2.7.8 and older. Starting with Python 2.7.9 (not 2.7.10) the features are available.
With my code https://github.com/tiran/requests_nss we could use the NSS db for both client certs and trust anchors. It's probably easier than to force an admin to download and install even more certs.
Per Dogtag 10.2.6 TRIAGE meeting of 06/30/2015: 10.2.6 (critical)
Downgrading to 'major' per discussions.
Per impromptu 10.2.6 meeting of 7/17/2025: 10.2.7
Per CS/DS Meeting of 08/03/2015, it was determined that the bug identified a duplicate issue -- this issue must be:
Fixed temporarily in master: a6423245a01217a295091407dfcb8fe79e019342
The proper cert validation will be implemented in a separate ticket.
Modified in 10.2.6-5.
See also ticket #2242.
Metadata Update from @edewata: - Issue assigned to cheimes - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1815
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.