New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:
"Failed to get request: bus, object_path and dbus_interface
must not be None."
This was often seen during upgrades.
Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.
https://pagure.io/freeipa/issue/7870
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.
Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Certmonger has hard-coded defaults for key size and key type. In case a
request does not contain these values, certmonger uses 2048 RSA keys.
Since the CA now has 3072, it will also rekey the CA to 2048 instead of
resubmitting with the existing 2048 bit key.
Use key-size and key-type from the existing request when resubmitting.
Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.
A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.
Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.
This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument. Perform a small refactor to
improve these functions.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:
X509v3 Basic Constraints: critical
CA:TRUE
Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.
Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.
https://pagure.io/freeipa/issue/7088
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently, it was only possible to request an NSS certificate
via certmonger. Merged start_tracking methods and refactored them
to allow for OpenSSL certificates tracking.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.
The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.
Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
https://fedorahosted.org/freeipa/ticket/6514
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
