Bug 579542 - DOC: -K required when using the -N option when requesting a cert
Summary: DOC: -K required when using the -N option when requesting a cert
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: certmonger
Version: 12
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-05 19:26 UTC by Rob Crittenden
Modified: 2010-11-03 18:21 UTC (History)
2 users (show)

Fixed In Version: certmonger-0.20-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-03 18:21:22 UTC


Attachments (Terms of Use)

Description Rob Crittenden 2010-04-05 19:26:38 UTC
Description of problem:

If you specify a subject when requesting a certificate (-N) then it is also required to set the principal name (-K).

This makes some sense in case someone is requesting a cert for a different host name you'd want the principal to match that. This requirement just isn't clear in the documentation and the error message isn't very explanatory either:

"IPA requires that a principal name be specified using the -K option."

It should probably include something like:

"The -K option is required when using the -N option"

Version-Release number of selected component (if applicable):

certmonger-0.19-1.fc12.x86_64

Steps to Reproduce:
# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -N CN=client.example.com,O=IPA

Comment 1 Nalin Dahyabhai 2010-04-05 21:50:27 UTC
How about this:
"IPA requires that a principal name also be specified (using the -K option) when the -N option is used."

Does that read better?

Comment 2 Dmitri Pal 2010-04-05 22:51:10 UTC
Sorry it does not.

"A principal name (-K option) is required when the -N option is used".

"A principal name (-K option) must be specified when the -N option is used".

"A principal name (-K option) must be provided when the -N option is used".

"You must use -K option to specify a principal name when -N option is used".

"In conjunction with a -N option you must use -K option to specify a principal name".

Comment 3 Rob Crittenden 2010-04-06 13:12:32 UTC
certmonger knows when it is talking to an IPA backend and only requires the principal when used in that context which is why he included the IPA bit.

I think we can go with a shorter, clearer error message out of ipa-getcert and add some additional information to the *getcert man pages.

Comment 4 Nalin Dahyabhai 2010-04-06 17:35:40 UTC
Well, clearly I could use some guidance on the text to use.

Comment 5 Dmitri Pal 2010-04-06 17:57:20 UTC
(In reply to comment #3)
> certmonger knows when it is talking to an IPA backend and only requires the
> principal when used in that context which is why he included the IPA bit.
> 
> I think we can go with a shorter, clearer error message out of ipa-getcert and
> add some additional information to the *getcert man pages.    

Is it always IPA back end that requires the principal?
I do not like the message being so explicit.
May be "Server requires ..." would be better.

Like this:
"Server requires the use of -K option (principal name) if -N option is used".

Comment 6 Rob Crittenden 2010-04-07 15:32:08 UTC
Yes, we need to know the service to attach the certificate to so the IPA backend always requires a principal.

This is only enforced when you run either ipa-getcert or you use the -c IPA argument with getcert.

So I think to be clearest:

"The IPA backend requires the use of -K option (principal name) if -N (subject) option is used".

Comment 7 Dmitri Pal 2010-04-07 16:06:34 UTC
(In reply to comment #6)
> Yes, we need to know the service to attach the certificate to so the IPA
> backend always requires a principal.
> 
> This is only enforced when you run either ipa-getcert or you use the -c IPA
> argument with getcert.
> 
> So I think to be clearest:
> 
> "The IPA backend requires the use of -K option (principal name) if -N (subject)
> option is used".    

Ack

Comment 8 Nalin Dahyabhai 2010-04-07 21:06:25 UTC
Change made in git, targeted for 0.20.

Comment 9 Fedora Update System 2010-04-21 22:22:01 UTC
certmonger-0.20-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc12

Comment 10 Fedora Update System 2010-04-21 22:22:07 UTC
certmonger-0.20-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc13

Comment 11 Fedora Update System 2010-04-21 22:22:12 UTC
certmonger-0.20-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc11

Comment 12 Fedora Update System 2010-04-22 22:41:57 UTC
certmonger-0.20-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc11

Comment 13 Fedora Update System 2010-04-22 22:45:12 UTC
certmonger-0.20-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc12

Comment 14 Fedora Update System 2010-04-22 22:53:42 UTC
certmonger-0.20-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.20-1.fc13

Comment 15 Fedora Update System 2010-05-05 07:21:09 UTC
certmonger-0.21-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.21-1.fc13

Comment 16 Fedora Update System 2010-05-06 03:38:08 UTC
certmonger-0.21-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.21-1.fc12

Comment 17 Fedora Update System 2010-05-06 03:38:19 UTC
certmonger-0.21-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.21-1.fc11

Comment 18 Fedora Update System 2010-05-15 20:24:16 UTC
certmonger-0.22-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.22-1.fc11

Comment 19 Fedora Update System 2010-05-15 20:44:34 UTC
certmonger-0.22-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.22-1.fc13

Comment 20 Fedora Update System 2010-05-15 20:46:18 UTC
certmonger-0.22-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.22-1.fc12

Comment 21 Fedora Update System 2010-06-03 18:04:22 UTC
certmonger-0.23-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2010-06-03 18:07:59 UTC
certmonger-0.23-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2010-06-03 18:13:32 UTC
certmonger-0.23-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Bug Zapper 2010-11-03 17:48:58 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 25 Nalin Dahyabhai 2010-11-03 18:21:22 UTC
Not sure why I didn't close this yet.  Closing.


Note You need to log in before you can comment on or make changes to this bug.