Bug 621670 - RFE: there is no way to pass in a key or database password on start-tracking
RFE: there is no way to pass in a key or database password on start-tracking
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: certmonger (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 624143
  Show dependency treegraph
 
Reported: 2010-08-05 15:09 EDT by Rob Crittenden
Modified: 2010-09-11 05:08 EDT (History)
1 user (show)

See Also:
Fixed In Version: certmonger-0.30-1.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 624143 (view as bug list)
Environment:
Last Closed: 2010-09-04 01:21:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2010-08-05 15:09:03 EDT
Description of problem:

In IPA I have an couple of server certificates crut ated in the install process that I want certmonger to track. I can get them tracked with ipa-getcert start-tracking but when renewal time rolls around it fails because certmonger doesn't have the NSS database password so can't get at the private keys.

I need to be able to pass in either a password or a file that contains the password (or both)

Version-Release number of selected component (if applicable):

certmonger-0.23-1.fc12.x86_64
Comment 1 Nalin Dahyabhai 2010-08-05 15:16:38 EDT
Under the covers, 'getcert start-tracking' makes the same request that 'getcert request' does, so this is mainly about wiring it into 'getcert start-tracking'. Targeting 0.25 for the fix.
Comment 2 Nalin Dahyabhai 2010-08-10 17:31:16 EDT
Rob, can you spot-check that this works as you'd expect with the development snapshots?  Anything from 6 August on should have the changes I think you need.  If it's good, I'll go ahead and release an 0.25.
Comment 3 Rob Crittenden 2010-08-11 09:52:06 EDT
With new bits the certificates are now in the state: NEWLY_ADDED_NEED_KEYI_READ_PIN

But I'm still stuck with : how do I provide the pin? Or really, how do I provide a pin or password file when I start the tracking?
Comment 4 Nalin Dahyabhai 2010-08-11 11:10:13 EDT
(In reply to comment #3)
> With new bits the certificates are now in the state:
> NEWLY_ADDED_NEED_KEYI_READ_PIN

Ah, good.  That's where it was supposed to land.  Having it get stuck in NEED_CSR was a symptom of a bug in the code that was supposed to detect failed attempts at logging in to an NSS database.

> But I'm still stuck with : how do I provide the pin? Or really, how do I
> provide a pin or password file when I start the tracking?    

The getcert start-tracking command should recognize -p or -P now, so that the PIN can be passed in either as the name of a file which is consulted when the PIN is needed, or directly (though I tend to agree with you that using a file is better).
Comment 5 Rob Crittenden 2010-08-13 09:48:09 EDT
Initial tests with -p are looking good. The man page(s) need to be updated as well.
Comment 6 Fedora Update System 2010-08-13 15:28:49 EDT
certmonger-0.26-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/certmonger-0.26-1.fc13
Comment 7 Fedora Update System 2010-08-13 15:28:59 EDT
certmonger-0.26-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/certmonger-0.26-1.fc12
Comment 8 Fedora Update System 2010-08-13 15:29:08 EDT
certmonger-0.26-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/certmonger-0.26-1.fc14
Comment 9 Fedora Update System 2010-08-17 01:26:04 EDT
certmonger-0.26-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update certmonger'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/certmonger-0.26-1.fc13
Comment 10 Fedora Update System 2010-09-04 01:21:46 EDT
certmonger-0.30-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-09-11 04:56:24 EDT
certmonger-0.30-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-09-11 05:08:35 EDT
certmonger-0.30-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.