View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001360 | Main CAcert Website | GPG/PGP | public | 2015-01-16 12:25 | 2021-08-26 11:45 |
Reporter | wytze | Assigned To | Eva | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | needs review | Resolution | open | ||
Product Version | 2015 Q1 | ||||
Target Version | 2015 Q1 | ||||
Summary | 0001360: signing of gpg keys stalls due to missing directory, and also causes delays for X.509 certificate signing and revocation | ||||
Description | The signing of gpg keys by the CAcert application may stall due to a missing directory for storing the signed keys. The current code allocates a new subdirectory for every 1000 signed keys, but the code to create this new subdirectory is missing for the gpg case (it is present though for the X.509 case). The CommModule client.pl code attempts to write the signed gpg key to a file in this non-existing directory and fails, which leads eventually to an error message: "Could not find the issued gpg key.". However, the same request will be retried over and over without limit, causing delays for all signing requests, including X.509 certificates. | ||||
Steps To Reproduce | Remove empty subdirectories under /home/cacert/www/crt/gpg. Then issue more than 1000 gpg signing requests, so somewhere along the line a new subdirectory is needed. | ||||
Additional Information | As a work-around, a number of subdirectories have been pre-created on the production server, so this failure will not occur again anytime soon, even without a code fix. The problem is in this code fragment from CommModule/client.pl: sub HandleGPG() { my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' "); $sth->execute(); my $rowdata; while ( $rowdata = $sth->fetchrow_hashref() ) { my %row=%{$rowdata}; my $prefix="gpg"; my $short=int($row{'id'}/1000); my $csrname = "../csr/$prefix-".$row{'id'}.".csr"; $csrname = "../csr/$prefix/$short/$prefix-".$row{'id'}.".csr" if($newlayout); SysLog("New Layout: "."../csr/$prefix/$short/$prefix-".$row{'id'}.".csr\n"); #my $crtname = "../crt/$prefix-".$row{'id'}.".crt"; my $crtname=$csrname; $crtname=~s/^\.\.\/csr/..\/crt/; $crtname=~s/\.csr$/.crt/; SysLog("New Layout: $crtname\n"); The following code should be inserted before the last line: my $dirname=$crtname; $dirname=~s/\/[^\/]*\.crt//; mkdir $dirname,0755; | ||||
Tags | No tags attached. | ||||
Reviewed by | BenBE | ||||
Test Instructions | See Steps to Reproduce | ||||
|
See https://lists.cacert.org/wws/arc/cacert-systemlog/2015-01/msg00015.html |
|
The change was performed slightly different than suggested to remove a minor code duplication in the process and also ensure all paths are built based on the directory name. |
|
Test: I issued enough pgp signatures for the pgp-signer daemon to require a new directory (around 200). I was told that the signer created that new directory. Test is therefore PASSED. |
|
I create certs for client and org server certificates. For both certs the new directory was created. => ok |
|
Reviewed in 0001360:0005256, but not closed. |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-01-16 12:25 | wytze | New Issue | |
2015-01-16 12:28 | wytze | Note Added: 0005242 | |
2015-01-16 12:28 | wytze | Assigned To | => BenBE |
2015-01-16 12:28 | wytze | Status | new => confirmed |
2015-01-16 17:57 | BenBE | Note Added: 0005244 | |
2015-01-16 17:57 | BenBE | Assigned To | BenBE => egal |
2015-01-16 17:57 | BenBE | Status | confirmed => needs review & testing |
2015-01-20 23:02 | felixd | Note Added: 0005254 | |
2015-01-21 20:39 | INOPIAE | Note Added: 0005256 | |
2015-01-21 21:57 | BenBE | Reviewed by | => BenBE |
2015-01-21 21:57 | BenBE | Status | needs review & testing => needs review |
2015-01-21 21:57 | BenBE | Product Version | => 2015 Q1 |
2015-01-21 21:57 | BenBE | Target Version | => 2015 Q1 |
2015-10-20 20:14 | BenBE | Assigned To | egal => Eva |
2021-08-26 11:45 | alkas | Note Added: 0006081 |