[Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates

Fri Jul 27 20:50:40 UTC 2012

Jan Cholasta wrote:
> Dne 25.7.2012 22:58, Rob Crittenden napsal(a):
>> Jan Cholasta wrote:
>>
>>> All these scripts could use more exception handling, but I guess
>>> potential bugs can be sorted out later.
>>
>> Well, they all run in the background so even if they caught errors
>> nothing would see them unless we decide to syslog errors.

I decided to syslog the errors, there is no other way around this.

>>>
>>> install/share/default-aci.ldif:
>>>
>>> The ACIs are wrong (Kerberos principal instead of ldap URI in userdn, in
>>> 40-delegation.update it is done right).
>>
>> Nice catch, not sure how I missed that. Fixed.
>
> You forgot to fix the allow(add) one, it still has userdn =
> "host/$FQDN@$REALM".
>

Fixed.

> I did:
>
> 1. ipa-server-install on host1, using IPA from master
> 2. ipa-replica-install on host2, using IPA from master
> 3. update host1 to IPA with your patch applied
> 4. update host2 to IPA with your patch applied
> 5. ipa-ca-install on host2
>
> After that, ipaCert is not tracked on host2 at all (I had to add it
> manually using "getcert start-tracking -d /etc/httpd/alias -n ipaCert -c
> dogtag-ipa-retrieve-agent-submit -C
> /usr/lib64/ipa/certmonger/restart_httpd -p /etc/httpd/alias/pwdfile.txt
> -T ipaCert").

Fixed, it wasn't being tracked on upgrades.

I filed a ticket for the audit cert renewing for only 6 months. It is a 
dogtag bug.

I've seen some oddness when testing by moving the date forward, CS 
replication has stopped working. I kick it with ipa-csreplica-manage 
force-sync --from=<master> and that fixes things. This is unrelated to 
my patch.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1033-6-renewal.patch
Type: text/x-diff
Size: 51001 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120727/980251ff/attachment.bin>