pkispawn does not validate its input and can create a broken CA instance. This has been a source of much grief in IPA:
https://bugzilla.redhat.com/show_bug.cgi?id=1111320 https://bugzilla.redhat.com/show_bug.cgi?id=1127838 https://bugzilla.redhat.com/show_bug.cgi?id=1223700
pkispawn should validate its input to prevent bugs like the above. Additionaly, a dry run option should be added, so that the input can be checked before running the actual install.
Steps to Reproduce:
1. Run pkispawn with some invalid input, e.g. invalid pki_external_ca_cert_chain_path file.
Actual results:
pkispawn creates broken CA istance
Expected results:
pkispawn fails with an error
This was discussed in the Dogtag 10.3 Triage meeting of 01/06/2016, and it was determined that rather than a "dry run" option, it would be better to augment the existing validation and focus on using containers to install a test PKI.
This will be revisited in Dogtag 10.4.
Could you reconsider the dry run / validate only option?
Without it, we have to do one of the following in ipa-server-install:
None of there are very nice.
Also, I would think that the dry run option should not be hard to implement (just exit after the initial validation).
Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - major
Metadata Update from @jcholast: - Issue set to the milestone: 10.4
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: None - Issue set to the milestone: FUTURE (was: 10.4)
Per 10.5.x/10.6 Triage: 10.6
mharmsen: This feature has been requested for a long time and as it is a feature that will help debugging errors it is a reasonable candidate for 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: FUTURE)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2285
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.