[Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code
Jan Cholasta
jcholast at redhat.com
Thu Mar 13 12:41:31 UTC 2014
On 12.3.2014 19:59, Petr Viktorin wrote:
> On 03/10/2014 01:03 PM, Jan Cholasta wrote:
>> On 17.10.2013 18:59, Jan Cholasta wrote:
>>> On 17.10.2013 18:01, Petr Viktorin wrote:
>>>> On 10/17/2013 02:21 PM, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> this patchset contains refactoring of the certificate renewal code,
>>>>> which will be the base for CA certificate renewal.
>>>>>
>>>>> The biggest change is a new certmonger CA helper
>>>>> dogtag-ipa-ca-renew-agent, which replaces
>>>>> dogtag-ipa-retrieve-agent-submit as well as parts of certmonger
>>>>> post-commands used in certificate renewal. It provides more
>>>>> flexibility
>>>>> when doing renewals and allows unified certmonger configuration on
>>>>> both
>>>>> CA master and clones.
>>>>>
>>>>> How to test: Test both CA-ful and CA-less server and replica installs
>>>>> and upgrades, check that certmonger is configured properly and
>>>>> certificate renewal works (see
>>>>> https://fedorahosted.org/freeipa/ticket/2803#comment:17 for details).
>
> Certmonger is not configured/started in CA-less installs.
That's expected.
>
> I tested fresh installs and upgrades; renewals work fine for me.
>
> 161-184 look OK
>
> 185: one more nitpick:
> cert = entry['usercertificate'][0]
> Shouldn't that use entry.single_value?
I did not feel like changing this, because this is used in the original
code and the userCertificate LDAP attribute is multi-value.
>
> 186-189 look OK
>
> 190: Is
> fqdn = entries[0].dn[1].value
> return api.env.host == fqdn
> safe? Can they differ in case, for example?
I guess so, will fix.
>
> 191-196 look OK
>
>> Note that patches 178 & 179 were already pushed. Also, patch 190 was
>> changed to store information about which CA instance is master in LDAP.
>
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list