[Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

Jan Cholasta jcholast at redhat.com
Wed Oct 15 14:43:51 UTC 2014 

Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4629>. 
It depends on my patches 333 and 334, which are also attached.

(The original patch was posted at 
<http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html>.)

How to test:

   1. install server

   2. kinit as admin

   3. run "ipa-cacert-manage renew --external-ca", it will produce a CSR

   4. sign the CSR with some external CA to get new IPA CA certificate

   5. run "while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI 
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<suffix>'; 
done" in background

   6. run "ipa-cacert-manage renew --external-cert-file=<path to new IPA 
CA certificate> --external-cert-file=<path to external CA certificate 
chain>"

   7. stop the loop from step 5

   8. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert 
cert-pki-ca'", the request should be in MONITORING state, there should 
be no ca-error

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-333.2-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 6851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-334.2-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch
Type: text/x-patch
Size: 6262 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-335.2-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch
Type: text/x-patch
Size: 3804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment-0002.bin>

More information about the Freeipa-devel mailing list