freeipa.git/ipalib/install/certmonger.py, branch fix_ber_scanf FreeIPA patches Replace replication_wait_timeout with certmonger_wait_timeout 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T17:31:32+00:00 faf34fcdfd78208726e3e8586186f34e7c44d732 The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Pass token_name to certmonger 2019-04-25T06:57:58+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T11:47:38+00:00 8686cd3b4b69f725aee05c9cdd3034d7436055d3 For HSM support, IPA has to pass the token name for CA and subsystem certificates to certmonger. For now, only the default 'internal' token is supported. Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reuse key type and size in certmonger resubmit 2019-04-16T14:51:40+00:00 Christian Heimes cheimes@redhat.com 2019-04-16T09:37:51+00:00 00a7868fa4011a0639bf96d23225c4203980bfb3 Certmonger has hard-coded defaults for key size and key type. In case a request does not contain these values, certmonger uses 2048 RSA keys. Since the CA now has 3072, it will also rekey the CA to 2048 instead of resubmitting with the existing 2048 bit key. Use key-size and key-type from the existing request when resubmitting. Related: https://pagure.io/freeipa/issue/6790 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Certmonger has hard-coded defaults for key size and key type. In case a
request does not contain these values, certmonger uses 2048 RSA keys.
Since the CA now has 3072, it will also rekey the CA to 2048 instead of
resubmitting with the existing 2048 bit key.

Use key-size and key-type from the existing request when resubmitting.

Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Py3: Remove subclassing from object 2018-09-27T09:49:04+00:00 Christian Heimes cheimes@redhat.com 2018-09-26T09:59:50+00:00 b431e9b684df11c811892bd9d2a5711355f0076e Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Auto-retry failed certmonger requests 2018-07-09T18:15:18+00:00 Christian Heimes cheimes@redhat.com 2018-07-08T09:53:58+00:00 1fa2a7cd41095295ebee5cd3b280507580ba8fbb During parallel replica installation, a request sometimes fails with CA_REJECTED or CA_UNREACHABLE. The error occur when the master is either busy or some information haven't been replicated yet. Even a stuck request can be recovered, e.g. when permission and group information have been replicated. A new function request_and_retry_cert() automatically resubmits failing requests until it times out. Fixes: https://pagure.io/freeipa/issue/7623 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.

A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.

Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add absolute_import future imports 2018-04-20T07:43:37+00:00 Stanislav Laznicka slaznick@redhat.com 2018-04-05T07:21:16+00:00 b5bdd07bc54ca557491652ce61011ae6aa3eb592 Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove main function from the certmonger library 2018-02-21T06:57:40+00:00 Rob Crittenden rcritten@redhat.com 2017-11-30T20:48:10+00:00 a0407f75f9b25c265008e907c7f97e2e4b0fa6e8 This was useful during initial development and as a simple in-tree unit test but it isn't needed anymore. Related: https://pagure.io/freeipa/issue/3757 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Increase dbus client timeouts during CA install 2017-10-18T15:55:25+00:00 John Morris john@zultron.com 2017-09-13T16:27:48+00:00 a2dea5a56daaf04b1066b2b6ea8c503a8de10474 When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR #1078 [1] and FreeIPA container issue #157 [2]. Upstream ticket at [3]. [1]: https://github.com/freeipa/freeipa/pull/1078 [2]: https://github.com/freeipa/freeipa-container/issues/157 [3]: https://pagure.io/freeipa/issue/7213 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.

The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.

This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).

See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2].  Upstream ticket at [3].

[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
certmonger: add support for MS V2 template 2017-10-04T08:09:18+00:00 Fraser Tweedale ftweedal@redhat.com 2017-08-22T05:39:53+00:00 560ee3c0b512cbb8cdc4099a81204e745a515f7c Update certmonger.resubmit_request() and .modify() to support specifying the Microsoft V2 certificate template extension. This feature was introduced in certmonger-0.79.5 so bump the minimum version in the spec file. Part of: https://pagure.io/freeipa/issue/6858 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.

This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
certmonger: refactor 'resubmit_request' and 'modify' 2017-10-04T08:09:18+00:00 Fraser Tweedale ftweedal@redhat.com 2017-08-22T05:39:21+00:00 2207dc5c172710471f3c7c77242cb2ba1fcfa779 certmonger.resubmit_request() and .modify() contain a redundant if statement that means more lines of code must be changed when adding or removing a function argument. Perform a small refactor to improve these functions. Part of: https://pagure.io/freeipa/issue/6858 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument.  Perform a small refactor to
improve these functions.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>