[Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
Jan Cholasta
jcholast at redhat.com
Wed Oct 15 14:43:51 UTC 2014
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4629>.
It depends on my patches 333 and 334, which are also attached.
(The original patch was posted at
<http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html>.)
How to test:
1. install server
2. kinit as admin
3. run "ipa-cacert-manage renew --external-ca", it will produce a CSR
4. sign the CSR with some external CA to get new IPA CA certificate
5. run "while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<suffix>';
done" in background
6. run "ipa-cacert-manage renew --external-cert-file=<path to new IPA
CA certificate> --external-cert-file=<path to external CA certificate
chain>"
7. stop the loop from step 5
8. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca'", the request should be in MONITORING state, there should
be no ca-error
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-333.2-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 6851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-334.2-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch
Type: text/x-patch
Size: 6262 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-335.2-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch
Type: text/x-patch
Size: 3804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141015/42665a17/attachment-0002.bin>
More information about the Freeipa-devel
mailing list