[Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs
Petr Viktorin
pviktori at redhat.com
Thu Mar 28 17:14:39 UTC 2013
On 03/28/2013 12:20 PM, Petr Viktorin wrote:
> On 03/26/2013 04:48 PM, Petr Viktorin wrote:
>> [...]
>
> This update adds a check for validity of the server cert's hostname,
> using python-nss.
>
And another update.
Patch 204: Fix default ID range in ipa-server-install
New patch 206: The host plugin assumed cert-* commands are always
available, and failed when removing/upddating a host because it could
not revoke the certificate. This leaves out the revocation if there's no CA.
The tests should pass now.
The Web UI currently assumes cert-* commands are always available. I'm
testing a patch from Petr¹ that will fix this.
Also, clients currently call cert-request via certmonger. This fails. A
patch to not request the host certificate in ipa-client-install is
coming up.
As far as I know, the failing request doesn't hurt anything; old clients
should work fine, certmonger will just spam the syslog.
I'll add steps to remove the request on old clients to the design doc.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0204.4-Support-installing-with-custom-SSL-certs-without-a-C.patch
Type: text/x-patch
Size: 21104 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/6b57f117/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0206-Do-not-call-cert-commands-in-host-plugin-if-a-RA-is-.patch
Type: text/x-patch
Size: 4859 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/6b57f117/attachment-0001.bin>
More information about the Freeipa-devel
mailing list