URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
FYI, Custodia 0.3 hasn't been released yet. I'm still doing smoke tests with FreeIPA's secrets service. So far, FreeIPA master and Custodia master work flawlessly.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-283283004

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
Custodia 0.3 is out, https://koji.fedoraproject.org/koji/taskinfo?taskID=18127414
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-283421294

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

MartinBasti commented:
"""
ipa-server-install failed
```
Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c
Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c
Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
```
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-285728731

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
sigh, template markers aren't picked up automatically. I fixed ```init/systemd/Makefile.am```.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-286448906

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
This PR must be merged into 4.5 ASAP. Without the fix it is not possible to define proper SELinux policies for ipa-custodia and stand-alone custodia.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-286993273

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

MartinBasti commented:
"""
I assume that this is not WIP anymore then
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287066488

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

martbab commented:
"""
@tiran we first need a copr build on F25 to unblock Travis CI. Can you provide a copr repo and modify test runner config to add it during builddep phase?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287283578

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

MartinBasti commented:
"""
@martbab I will test it manually (when I receive f25/F26 rpms), if works then I will update master copr
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287292769

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

martbab commented:
"""
@MartinBasti ok there should be no problems with that (built it on F25 VM but threw it away afterwards, oh well)
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287295476

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
I had some issues with build system yesterday. For some reason ```python2-python-etcd``` dependency was missing dependency on ```etcd```. I'm glad time heals all wounds (or some devs *g*).

F25 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429524
F26 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429570
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287313565

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: edited

Changed field: body
Original value:
"""
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.

Signed-off-by: Christian Heimes <***@redhat.com>

PR depends on new custodia release.
"""

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: [WIP] Use Custodia 0.3 features
Action: edited

Changed field: title
Original value:
"""
[WIP] Use Custodia 0.3 features
"""

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

tiran commented:
"""
PR is blocked because custodia 0.3 is not yet in https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/packages/ Please add the package fro Koji builds https://github.com/freeipa/freeipa/pull/517#issuecomment-287313565
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288356890

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

MartinBasti commented:
"""
No this PR si not blocker by this but by this. I manually tried this patch and replica installation failed.

```
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 203, in install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 244, in install_step_0
replica_config.dirman_password)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 182, in get_ca_keys
self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 146, in __get_keys
value = cli.fetch_key(os.path.join(prefix, nickname), False)
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 101, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status
raise HTTPError(http_error_msg, response=self)

2017-03-22T09:41:44Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca for url: https://vm-126.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.OxngT9UkpcI1epgfUY4ptfAcgNqcWkolwjxt48l7mYvvvDbejfdPY5IAulLyqXE_vc4ifCmqAJ2je9t2IC-gJXq9csZ60q4_sBhhw-NVp_2GZOasPYnF_LDoLEUx9iKihMiBRXTMS4Ue4wzx41tgSViCpuO7eUT5XKRaYtwOXd5qi46Z6S8XgQJSTeW3WQjRGNqSzYMOeHQNPMz24gSx9ENJ4Mx2x4LxY5cod3HGjocgp9s4qnJLYL3bhEXRL9x_t8RG6B06_FXY044DNsR5YBlHa7J5ks2ldiR7TCBN2te5iv_ePKYdpmMlHqeT1NNjGKMnei-TTtYE8dsJM4Q9gA.eDq3i2fgbry5AabVyJHVeg.Uf9wBxxQSloach8Pcbdi2BMzeHB9bY4tFRvifH3_-omv87g0jDCMEK8Tv56E9psnp1BEhcslPcIQC2k8YTUiMv_SgA-uj3Agb1RhZn1JV9IlZzPRfUELCj0jj-rVsC7UeQjkYRjYhxnCrlYpiLeAEfPnHlSMqCHH2PWJEzxGH8bCrIBkwrvQ8A2an0tP37HTi4fyJJbHaBZD4YWSG5iD7RjzkL8a89edyiZNNO7xbgX2CxvvgIhJ0vxYWPn6SSLJpOJaVF_Wt5cRMfXccPKdB5VUXPefEUbOjf4A5xdGZiCSWY8jCU8Rb246SdWlxKipEVcRua0zKNcC51IHxAIZY-Jxp9yTqQm8OvNNqsV1cG_TSovsH9MES7AEMYTDNxRr-QluR6Nvjc7VqN_nG9e4l8f7B7ut_sG-BQWJcbWm0GApISE9c9FzjtNmJAO5eZpGehLuOIHPornnyye2ulc_5XeRxr9QtpAHE9buluRAP_bBPXwB2IpDyP2gnOQhyI64ulu1_QRjq_XKoSCBOFe94XMt7JpoQe_NcvsR-rlaZLC4aQaUaycT-a_n6ly-Uwoh2jSHJ2lzLSZ2pbdqkCws_LEevY2Ola67VvQjWNcS7udQlDNhDZPso8_Abf8Jlm54iNMTiKKClRrM6kFITslzXpqpJ_NBe6q6gUp2JY-qkny1y0xwF4Q7kjXvSJdjGXSYrpR3eT9GZfdFIIHy_GUa8Sbt0tYddobEaqdGHo1rO90.GovMfUQdvTRXvrae4vbQDBApw37BgjXM9fimKMmkfQA

```
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288370660

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

tiran commented:
"""
@MartinBasti How did you get Custodia into the test envs when it is not available in COPR or Fedora repos?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372454

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

MartinBasti commented:
"""
@tiran I manually installed custodia on my VM from koji. Travis doesn't run replica install tests what is the primary use case for custodia in FreeIPA, so travis result has no weight for this PR
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372915

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

tiran commented:
"""
Please custodia logs (```journalctl -u ipa-custodia``` and ```/var/log/ipa-custodia.audit.log```) from the server.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288372963

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

MartinBasti commented:
"""
```
[***@vm-058-017 ~]# journalctl -u ipa-custodia
-- Logs begin at Wed 2017-03-15 15:56:23 CET, end at Wed 2017-03-22 12:35:17 CET. --
Mar 15 16:20:58 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 22 10:41:43 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service...
Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com ipa-custodia[49493]: 2017-03-22 10:41:44 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock
Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
lines 1-7/7 (END)

```

Audit file is empty
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288373312

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

MartinBasti commented:
"""
custodia-0.3.0-3.fc25.noarch

"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288373442

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

MartinBasti commented:
"""
Replica logs^

Master logs:

```
Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service...
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:18:10 - server - Serving on Unix socket /ru
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple] - PASS: '83694' authenticate
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header] - PASS: '83694' authenticate
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys] - PASS: '83694' authorized f
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - Secrets-[/keys] - DENIED: '(null)' requested
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - server - code 406, message Key name
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 127.0.0.1 - - [22/Mar/2017 10:41:44] "GET /keys/ca/caSigningCert%20cert-pki-ca?type
~
```

audit.log
```
2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple] - PASS: '83694' authenticated as '48, 48'
2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header] - PASS: '83694' authenticated as '(null)'
2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys] - PASS: '83694' authorized for '/keys'
2017-03-22 10:41:44 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert%20cert-pki-ca'
```


"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288375592

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3 features

tiran commented:
"""
Full error message: ```code 406, message Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca```

Custodia issue https://github.com/latchset/custodia/issues/135
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-288443491

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: Use Custodia 0.3 features
Action: edited

Changed field: title
Original value:
"""
Use Custodia 0.3 features
"""

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

tiran commented:
"""
0.3.1 with fix for the space in URLs is out.

* rawhide build https://koji.fedoraproject.org/koji/taskinfo?taskID=18637684
* F26 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18638045
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289588268

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

tiran commented:
"""
F25 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18643521

```
$ fedpkg clone custodia
$ cd custodia
$ fedpkg switch-branch master
$ fedpkg scratch-build --srpm --target f25
```
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289735201

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

MartinBasti commented:
"""
Probably we should bump requires to custodia >= 0.3.1
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289737346

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

MartinBasti commented:
"""
Works for me, can be pushed when dependencies bumped
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289739858

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: Use Custodia 0.3.1 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

Label: +ack

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

Label: +pushed

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

pvomacka commented:
"""
ipa-4-5:

* 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features
master:

* f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features
"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289762284

URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
Title: #517: Use Custodia 0.3.1 features
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517

URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: Use Custodia 0.3.1 features

tiran commented:
"""
Custodia 0.3.1 also fixes https://github.com/latchset/custodia/issues/135 (KEM requests with whitespace in key name fail). The bug has been reported by @adelton as https://bugzilla.redhat.com/show_bug.cgi?id=1411810 .

"""

See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289779539