Red Hat Bugzilla – Bug 621670
RFE: there is no way to pass in a key or database password on start-tracking
Last modified: 2010-09-11 05:08:44 EDT
Description of problem:
In IPA I have an couple of server certificates crut ated in the install process that I want certmonger to track. I can get them tracked with ipa-getcert start-tracking but when renewal time rolls around it fails because certmonger doesn't have the NSS database password so can't get at the private keys.
I need to be able to pass in either a password or a file that contains the password (or both)
Version-Release number of selected component (if applicable):
Under the covers, 'getcert start-tracking' makes the same request that 'getcert request' does, so this is mainly about wiring it into 'getcert start-tracking'. Targeting 0.25 for the fix.
Rob, can you spot-check that this works as you'd expect with the development snapshots? Anything from 6 August on should have the changes I think you need. If it's good, I'll go ahead and release an 0.25.
With new bits the certificates are now in the state: NEWLY_ADDED_NEED_KEYI_READ_PIN
But I'm still stuck with : how do I provide the pin? Or really, how do I provide a pin or password file when I start the tracking?
(In reply to comment #3)
> With new bits the certificates are now in the state:
Ah, good. That's where it was supposed to land. Having it get stuck in NEED_CSR was a symptom of a bug in the code that was supposed to detect failed attempts at logging in to an NSS database.
> But I'm still stuck with : how do I provide the pin? Or really, how do I
> provide a pin or password file when I start the tracking?
The getcert start-tracking command should recognize -p or -P now, so that the PIN can be passed in either as the name of a file which is consulted when the PIN is needed, or directly (though I tend to agree with you that using a file is better).
Initial tests with -p are looking good. The man page(s) need to be updated as well.
certmonger-0.26-1.fc13 has been submitted as an update for Fedora 13.
certmonger-0.26-1.fc12 has been submitted as an update for Fedora 12.
certmonger-0.26-1.fc14 has been submitted as an update for Fedora 14.
certmonger-0.26-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update certmonger'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.26-1.fc13
certmonger-0.30-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
certmonger-0.30-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
certmonger-0.30-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.