Re: [Pki-users] Inquiry: Can Dog Tag issue a ceritificate for windows users and computers?
by Fraser Tweedale
On Fri, Dec 21, 2018 at 03:27:59PM +0800, fu-hong-quan(a)pacific-textiles.com wrote:
> Hi,
>
> I come across your blog and know that you're working on FreeIPA and dog
> tag PKI. So as we know MS CA is pretty good PKI and it's powered by Group
> Policy of
>
> Active Directory, user is easy to request, issue and renew a certificate.
> So my question is that does Dog tag has the same function? Issuing and
> renewing cert
>
> for windows users? e.g sending a request when user's computer is and user
> is logging on?
>
> -Thanks,
>
Hi,
(Cc pki-users(a)redhat.com mailing list for visibility)
I don't know enough about exactly what Windows does to request certs
against AD. Ultimately it will depend on the enrolment protocol,
what authentication mechanism is used, and so on.
If you can find out more about that, or point me to documentation,
I'll be better able to explain how Dogtag could meet the need (or
not).
Cheers,
Fraser
6 years
Configuring pagesize/max request for LDAP certificate searches
by Jared Ledvina
Hi!
I've been looking into why on our production FreeIPA v4.5.4 installation, 'ipa host-del --updatedns FQDN' operations take 2-5 minutes per host. While looking into this I've discovered a variety of issues that I've fixed along the way. This appears to be the last significant one that I'm unable to sort out.
During an IPA host deletion, it looks like FreeIPA has pki-tomcat revoke all issued certificates for the host being deleted. In our setup, this results in ~10 seconds of paginated LDAP searches to an VLV index per certificate. Typically, a host will have around 5-7 certificates issued and active for it. From the 389-ds access logs, we see entries like this:
https://paste.fedoraproject.org/paste/60eEuw1ldZh7SZyoIEqUCw
and then in the pki-tomcat debug logs, there are corresponding by timestamp entries like this:
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: getEntries: exception java.lang.ClassCastException
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList: entries: 2000
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getPage(11995)
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getEntries()
Since the search result etime's according to LDAP are really quick (sub 0.0## seconds), I think the easiest way to speed these up would be to increase the page size / max request limit pki-tomcat is doing when it queries LDAP.
>From my tracing through the code, I think that would involve setting this:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server...
which might be used in:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server...
Has anyone looked at this code path before? 2000 seems like a sane default but, we have 133,934+ entries and counting in our ou=certificateRepository,ou=ca,o=ipaca so, paging through those results for each issued certificate takes a noticeable amount of time.
Of course, if any other information would help, let me know, more than happy to provide it!
Thanks,
Jared
--
Jared Ledvina
jared(a)techsmix.net
6 years
Re: [Pki-users] expired pki-server 10.3.3 certificates
by Z D
Hi John, thanks for the feedback.
I used this URL as help to disable self tests.
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_...
Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
But I was able to disable self test and PKI is responsive now.
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors
Basically is some :
"ACIError: Insufficient access: Invalid credentials"
[journalctl messages]
------------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials
[syslog messages]
------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master
self.ldap_connect()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect
conn.do_bind(self.dm_password, autobind=self.autobind)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind
self.do_sasl_gssapi_bind(timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind
self.__bind_with_wait(self.gssapi_bind, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait
bind_func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.ACIError(info="%s %s" % (info, desc))
ACIError: Insufficient access: Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error
Is there any URL that's relevant for pki 10.3
thanks in advance, Zarko
________________________________
From: John Magne <jmagne(a)redhat.com>
Sent: Wednesday, November 14, 2018 6:16 PM
To: Z D
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
Hi:
YOu can try to temporarily disable the self tests for you ca, until
the new certs are resolved.
Look in the CS.cfg file for the ca in question and there is a big section
controlling the self tests. Just experiment with commenting out the tests and see if that
gets you past the hurdle..
<https://www.redhat.com/mailman/listinfo/pki-users>
6 years
