[Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code

Jan Cholasta jcholast at redhat.com
Tue Mar 25 14:05:20 UTC 2014 

On 21.3.2014 09:46, Petr Viktorin wrote:
> On 03/19/2014 02:33 PM, Jan Cholasta wrote:
>> On 13.3.2014 13:41, Jan Cholasta wrote:
>>> On 12.3.2014 19:59, Petr Viktorin wrote:
>>>> Certmonger is not configured/started in CA-less installs.
>>>
>>> That's expected.
>>>
>>>>
>>>> I tested fresh installs and upgrades; renewals work fine for me.
>>>>
>>>> 161-184 look OK
>>>>
>>>> 185: one more nitpick:
>>>>      cert = entry['usercertificate'][0]
>>>> Shouldn't that use entry.single_value?
>>>
>>> I did not feel like changing this, because this is used in the original
>>> code and the userCertificate LDAP attribute is multi-value.
>
> Could you add a comment saying we don't care which of the certificates
> is returned? For me `entry[...][0]` is a red flag, since the order
> usually stays the same but it's not guaranteed, so it can change in the
> worst moment. If nothing else we shouldn't be leaving it in the code as
> an example of ipaldap usage.

After some consideration I have decided to use single_value after all, 
because the only way that multiple values could get in the attribute is 
that someone deliberately put them in there.

>
>>>
>>>>
>>>> 186-189 look OK
>>>>
>>>> 190: Is
>>>>      fqdn = entries[0].dn[1].value
>>>>      return api.env.host == fqdn
>>>> safe? Can they differ in case, for example?
>>>
>>> I guess so, will fix.
>>>
>>>>
>>>> 191-196 look OK
>>>>
>>>>> Note that patches 178 & 179 were already pushed. Also, patch 190 was
>>>>> changed to store information about which CA instance is master in
>>>>> LDAP.
>>
>> Updated patches attached.
>>
>> Note that I changed the path for CSR export to /var/lib/ipa/ca.csr to
>> make it more SELinux-friendly (not in the policy yet, see
>> <https://bugzilla.redhat.com/show_bug.cgi?id=1077689>).
>>

Updated patches attached.

Note I have also updated the CA master in LDAP code.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-172.3-Move-CACERT-definition-to-a-single-place.patch
Type: text/x-patch
Size: 13423 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-173.3-Do-not-create-CA-certificate-files-in-CA-less-server.patch
Type: text/x-patch
Size: 1928 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-174.3-Use-LDAP-API-to-upload-CA-certificate-instead-of-lda.patch
Type: text/x-patch
Size: 2811 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-175.3-Upload-CA-certificate-from-DS-NSS-database-in-CA-les.patch
Type: text/x-patch
Size: 3169 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-176.3-Remove-unused-method-export_ca_cert-of-dsinstance.patch
Type: text/x-patch
Size: 979 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-177.3-Show-progress-when-enabling-SSL-in-DS-in-ipa-server-.patch
Type: text/x-patch
Size: 3276 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-180.3-Use-certmonger-D-Bus-API-to-configure-certmonger-in-.patch
Type: text/x-patch
Size: 4923 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-181.3-Add-new-certmonger-CA-helper-dogtag-ipa-ca-renew-age.patch
Type: text/x-patch
Size: 4170 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-182.3-Update-pkcs10-module-functions-to-always-load-CSRs-a.patch
Type: text/x-patch
Size: 5484 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-183.3-Remove-unused-function-get_subjectaltname-from-the-c.patch
Type: text/x-patch
Size: 1324 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-184.3-Add-function-for-parsing-friendly-name-from-certific.patch
Type: text/x-patch
Size: 2869 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-185.3-Support-retrieving-renewed-certificates-from-LDAP-in.patch
Type: text/x-patch
Size: 3525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-186.3-Use-dogtag-ipa-ca-renew-agent-to-retrieve-renewed-ce.patch
Type: text/x-patch
Size: 5177 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-187.3-Remove-dogtag-ipa-retrieve-agent-submit.patch
Type: text/x-patch
Size: 4906 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-188.3-Support-storing-renewed-certificates-to-LDAP-in-dogt.patch
Type: text/x-patch
Size: 5516 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-189.3-Use-dogtag-ipa-ca-renew-agent-to-track-certificates-.patch
Type: text/x-patch
Size: 13042 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-190.3-Store-information-about-which-CA-server-is-master-fo.patch
Type: text/x-patch
Size: 6668 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0016.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-191.3-Make-the-default-dogtag-ipa-ca-renew-agent-behavior-.patch
Type: text/x-patch
Size: 2866 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0017.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-192.3-Merge-restart_pkicad-functionality-to-renew_ca_cert-.patch
Type: text/x-patch
Size: 7785 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0018.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-193.3-Merge-restart_httpd-functionality-to-renew_ra_cert.patch
Type: text/x-patch
Size: 2246 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0019.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-194.3-Use-the-same-certmonger-configuration-for-both-CA-ma.patch
Type: text/x-patch
Size: 9618 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0020.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-195.3-Update-certmonger-configuration-in-ipa-upgradeconfig.patch
Type: text/x-patch
Size: 7235 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0021.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-196.3-Support-exporting-CSRs-in-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 1745 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/1a30353e/attachment-0022.bin>

More information about the Freeipa-devel mailing list