[Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal

Jan Cholasta jcholast at redhat.com
Fri Jul 1 04:07:37 UTC 2016 

On 29.6.2016 10:41, Fraser Tweedale wrote:
> On Wed, Jun 29, 2016 at 09:30:17AM +0200, Jan Cholasta wrote:
>> On 29.6.2016 08:55, Jan Cholasta wrote:
>>> On 24.6.2016 08:49, Fraser Tweedale wrote:
>>>> On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> On 21.6.2016 08:24, Fraser Tweedale wrote:
>>>>>> The attached patches add lightweight CA renewal.  There are two
>>>>>> substantive aspects:
>>>>>>
>>>>>> 1. The renew_ca_cert updates the serial number in the lightweight
>>>>>> CA's entry in the Dogtag database.  This causes CA clones to observe
>>>>>> the renewal and update the certs in their own NSSDBs.
>>>>>>
>>>>>> 2. The ipa-certupdate command adds Certmonger tracking requests for
>>>>>> lightweight CAs (on the renewal master only).
>>>>>>
>>>>>> Correct behaviour also depends on my patch 0069 (in-server API for
>>>>>> renew_ca_cert script).
>>>>>
>>>>> Patch 0072-0074: LGTM
>>>>>
>>>>> Patch 0075:
>>>>>
>>>>> 1) Lightweight CA certs should be tracked by certmonger on all CA
>>>>> servers,
>>>>> not just on the renewal master. The behavior should be the same as
>>>>> for the
>>>>> main CA cert, i.e. the actual renewal is done only on the renewal
>>>>> master,
>>>>> other CA servers only update their NSS DBs (this is handled in
>>>>> dogtag-ipa-ca-renew-agent-submit).
>>>>>
>>>>> This is important because CA renewal master can change at any time, and
>>>>> without all CA certs being tracked on all CA servers, there is no
>>>>> guarantee
>>>>> the renewal would happen.
>>>>>
>>>>> 2) Since CA clones update their NSS DBs on their own,
>>>>> dogtag-ipa-ca-renew-agent should be updated not to put them in
>>>>> cn=ca_renewal,cn=ipa,cn=etc.
>>>>>
>>>> Thanks for the review, Honza.  Updated patch 0075-2 attached.
>>>
>>> Thanks, ACK.
>>>
>>> Rebased patch 0072 and pushed to master:
>>> 0078e7a9192a940104d8f6621b33d24d814c109b
>>>
>>> It would be nice if lightweight CAs known at replica install time were
>>> tracked without having to manually run ipa-certupdate after
>>> ipa-replica-install. Shall I file a ticket for this, or will you be able
>>> to provide a patch before Friday?

<https://fedorahosted.org/freeipa/ticket/6019>

>>
>> Also, the certs should be untracked on server uninstall.

<https://fedorahosted.org/freeipa/ticket/6020>

>>
> File the ticket, and I'll try to address by Friday anyways :)
>
> Thanks,
> Fraser
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list