[Freeipa-devel] #5881 / bz1327092 ; fixing broken caIPAserviceCert profile
Jan Cholasta
jcholast at redhat.com
Wed May 11 11:31:36 UTC 2016
On 11.5.2016 11:22, Fraser Tweedale wrote:
> Hi,
>
> Re: Bug 1327092 - URI details missing and OCSP-URI details are
> incorrectly displayed when certificate generated using IPA.
>
> This issue occurs when replica installation overwrites the existing
> IPA version of the caIPAserviceCert profile with the version shipped
> with Dogtag. My patch 0057 prevents the issue from occuring but
> does not repair installations where the problem already happened.
>
> For repair, one possibility is to detect when this has occured, and
> re-import the IPA version of the profile. IMO this would be quite
> brittle, e.g. if the profile shipped with Dogtag changes or if user
> has made other changes to the profile it may no longer work.
>
> I propose to add a new option to ``ipa certprofile-mod`` which can
> be used to restore profiles shipped with IPA to a "pristine" state.
> This would allow admins of affected installations to run a single
> command to repair the profile, but I think it is an independently
> useful feature, e.g. if admin messes up a profile but didn't keep a
> backup of the original config, they can easily get back to the
> original state.
>
> The new option would only be applicable to included profiles (error
> otherwise). I suggest it be called ``--reset``. Example usage:
>
> ipa certprofile-mod caIPAserviceCert --reset
>
> All comments welcome!
NACK,
1) This is a separate operation, so it should be a separate command.
2) I don't think it is generally a good idea to have a command which
relies on some file being existent or having expected content on all
replicas.
3) I would rather avoid adding new commands just to work around bugs.
IMO "certprofile-import caIPAserviceCert
/usr/share/ipa/profiles/caIPAserviceCert.cfg" should be good enough in
this case.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list