[Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code
Petr Viktorin
pviktori at redhat.com
Wed Mar 12 18:59:39 UTC 2014
On 03/10/2014 01:03 PM, Jan Cholasta wrote:
> On 17.10.2013 18:59, Jan Cholasta wrote:
>> On 17.10.2013 18:01, Petr Viktorin wrote:
>>> On 10/17/2013 02:21 PM, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> this patchset contains refactoring of the certificate renewal code,
>>>> which will be the base for CA certificate renewal.
>>>>
>>>> The biggest change is a new certmonger CA helper
>>>> dogtag-ipa-ca-renew-agent, which replaces
>>>> dogtag-ipa-retrieve-agent-submit as well as parts of certmonger
>>>> post-commands used in certificate renewal. It provides more flexibility
>>>> when doing renewals and allows unified certmonger configuration on both
>>>> CA master and clones.
>>>>
>>>> How to test: Test both CA-ful and CA-less server and replica installs
>>>> and upgrades, check that certmonger is configured properly and
>>>> certificate renewal works (see
>>>> https://fedorahosted.org/freeipa/ticket/2803#comment:17 for details).
Certmonger is not configured/started in CA-less installs.
I tested fresh installs and upgrades; renewals work fine for me.
161-184 look OK
185: one more nitpick:
cert = entry['usercertificate'][0]
Shouldn't that use entry.single_value?
186-189 look OK
190: Is
fqdn = entries[0].dn[1].value
return api.env.host == fqdn
safe? Can they differ in case, for example?
191-196 look OK
> Note that patches 178 & 179 were already pushed. Also, patch 190 was
> changed to store information about which CA instance is master in LDAP.
--
Petr³
More information about the Freeipa-devel
mailing list