From: Nicolas M. (CeSPI) <nm...@ce...> - 2014-03-07 22:43:15
|
Hello Martin, I will test and give some feedback about it soon. However, thanks to a colleague, we be able to patch OpenCA DBI module and do some tests that fixed both problems in this thread: - export/import problems related with CSRs with differents states - make complete database backup in which are stored all objects in all posible categories After doing some tests, I was able to use these OpenCA funtions without problems I attach the patch Bye Nicolas Macia _____________ CERTunlp El 07/03/14 11:02, Martin Hecht escribió: > Hello Nicolas, > > I think you were looking at the right place. The function exportDB in > export-import.lib > holds a list of states which shall be exported. TEMPNEW is not among > the ones to > be exported, so these requests which are not validated should not even > leave the > RA. Nevertheless, it would make sense to handle TEMPNEW in importObjects > just in case. However, all other states should already be handled > correctly, at least > for Openca-base 1.5.1. In the output below I can't see any export of a > request. > Could you try to export the data base with requests of different > states ( TEMPNEW / > NEW / APPROVED ) and check the tar file how they are written to the > device? > > best regards, > Martin > > PS: I'm suggesting the attached patch to make sure the TEMPNEW state > is correctly > handled during import > > On 02/28/2014 03:35 PM, Nicolas Macia (CeSPI) wrote: >> I left to say that this behavior happend on: >> - Openca-base 1.5.1 / Openca-tools 1.3.0 on Debian 7 (Stable) >> - Openca-base 1.1.1 / Openca-tools 1.3.0 on Debian 6 (Old Stable) >> >> I think that this problem could be related with another bug related with >> putting all objects (CA CERT / CERTIFICATE / REQUEST) in all different >> categories regardless their status: CACERT [valid / expired] , REQUEST >> [new / renew / pending / signed / approved / archived / deleted] , >> CERTIFICATE [valid / expired / revoked / suspended] >> >> For example, on OpenCA 1.5.1 on my CA that have: >> - one CA cert >> - one CRL >> - two valid certificates >> >> if I make on the node interface: >> Node Ops -> Backup and Recovery -> Database >> >> I can see the following: >> >> Thursday 27 February 21:48:13 UTC >> Exporting DB ... >> Please wait until operation completes >> Exporting valid CA_CERTIFICATE ... >> >> Exporting all necessary objects. >> >> cc2821c7d9025aadb34c467ea115980f3e64690b.pem >> >> Exporting expired CA_CERTIFICATE ... >> >> Exporting all necessary objects. >> >> cc2821c7d9025aadb34c467ea115980f3e64690b.pem >> >> Exporting new CRR ... >> >> No objects are present. >> >> Exporting pending CRR ... >> >> No objects are present. >> >> Exporting signed CRR ... >> >> No objects are present. >> >> Exporting approved CRR ... >> >> No objects are present. >> >> Exporting archived CRR ... >> >> No objects are present. >> >> Exporting deleted CRR ... >> >> No objects are present. >> >> Exporting valid CRL ... >> >> Exporting all necessary objects. >> >> 1.pem >> >> Exporting new REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting renew REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting pending REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting signed REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting approved REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting archived REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting deleted REQUEST ... >> >> Exporting all necessary objects. >> >> 256.spkac >> >> 512.spkac >> >> Exporting valid CERTIFICATE ... >> >> Exporting all necessary objects. >> >> 998806535358870519861744.pem >> >> 419063751874877379914325.pem >> >> Exporting expired CERTIFICATE ... >> >> Exporting all necessary objects. >> >> 998806535358870519861744.pem >> >> 419063751874877379914325.pem >> >> Exporting revoked CERTIFICATE ... >> >> Exporting all necessary objects. >> >> 998806535358870519861744.pem >> >> 419063751874877379914325.pem >> >> Exporting suspended CERTIFICATE ... >> >> Exporting all necessary objects. >> >> 998806535358870519861744.pem >> >> 419063751874877379914325.pem >> >> Exporting archive ... >> >> Load required variables ... >> >> Changing to directory /home/openca/OpenCA/var/openca/tmp/tmp_19420 ... >> >> Running the export command(s) ... >> >> /bin/tar -cvpf /tmp/openca_local -C /home/openca/OpenCA/var/openca/tmp/tmp_19420 . >> >> Archive created successfully. >> >> Test the archive ... >> >> /bin/tar -tvf /tmp/openca_local >> >> Clean up ...Ok. >> >> >> >> >> Nicolás Macia >> _____________ >> CERTunlp >> >> El 27/02/14 21:48, Nicolas Macia escribió: >>> Hello, I have a problem. >>> >>> After requesting Digital Cert at public site, an URL is sent to the >>> requester to confirm his email address >>> >>> The problem is what it is seen at RA interface: >>> - CSR confirmed using previous URL are tagged with state NEW >>> - CSR not confirmed are tagged with state TEMPNEW >>> - Approved CSR are tagged with state APPROVED >>> >>> When I use the node interface to exchange information to the CA, all CSR of ANY STATE are exported to CA as approved REQUESTS. >>> >>> Seems to me that the problem is that RA only should export approved >>> requests but it doesn't. >>> >>> anyone who knows what is the problem here?? >>> >>> >>> Thanks >>> Nico >> >> >> >> ----- >> CeSPI >> Centro Superior para el Procesamiento de la Información >> >> Universidad Nacional de La Plata >> ------------------------------------------------------------------------------- >> Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario >> >> >> >> ------------------------------------------------------------------------------ >> Flow-based real-time traffic analytics software. Cisco certified tool. >> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >> Customize your own dashboards, set traffic alerts and generate reports. >> Network behavioral analysis & security monitoring. All-in-one tool. >> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> OpenCA-Devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openca-devel > > ----- CeSPI Centro Superior para el Procesamiento de la Información Universidad Nacional de La Plata ------------------------------------------------------------------------------- Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario |