[Freeipa-devel] [PATCH] 0007 Fix ipa-server-certinstall with certs signed by 3rd-party CA
Petr Vobornik
pvoborni at redhat.com
Thu Jun 30 13:00:56 UTC 2016
On 06/29/2016 02:17 PM, Stanislav Laznicka wrote:
> On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> This patch fixes ipa-server-certinstall when used with 3rd-party certs.
>> The scenario is the following:
>> - install the server with an embedded CA
>> - use ipa-cacert-manage to install a 3rd party CA
>> - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS
>> databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and
>> /etc/dirsrv/slapd-XXX)
>> - use ipa-server-certinstall to replace the Directory/Apache server
>> certificates with a cert signed by the 3rd party CA.
>>
>> Note that I had to run ipa-certupdate after putting selinux mode to permissive
>> (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz has
>> been opened against selinux-policy to solve this issue.
>>
>> https://fedorahosted.org/freeipa/ticket/4785
>> https://fedorahosted.org/freeipa/ticket/4786
>>
>>
> Hello,
>
> The patch works as expected with the selinux requirement you mentioned. I will
> just add Honza for code sanity check. Therefore conditional ACK if the code can
> take no further improvements.
>
> Standa
>
>
Pushed to master: 025cfd911bce6214ef2b4311b16c5b6df6ad173a
According to Honza, it doesn't solve all corner cases. This can be fixed
in a future. Honza, please open a ticket with the corner cases when you
have time.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list