[Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
David Kupka
dkupka at redhat.com
Mon Nov 3 15:01:19 UTC 2014
On 10/15/2014 04:43 PM, Jan Cholasta wrote:
> Hi,
>
> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4629>.
> It depends on my patches 333 and 334, which are also attached.
>
> (The original patch was posted at
> <http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html>.)
>
>
> How to test:
>
> 1. install server
>
> 2. kinit as admin
>
> 3. run "ipa-cacert-manage renew --external-ca", it will produce a CSR
>
> 4. sign the CSR with some external CA to get new IPA CA certificate
>
> 5. run "while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI
> 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<suffix>';
> done" in background
>
> 6. run "ipa-cacert-manage renew --external-cert-file=<path to new IPA
> CA certificate> --external-cert-file=<path to external CA certificate
> chain>"
>
> 7. stop the loop from step 5
>
> 8. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
> cert-pki-ca'", the request should be in MONITORING state, there should
> be no ca-error
>
> Honza
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
Works for me, ACK.
Please push only the patch freeipa-jcholast-335. Patches
freeipa-jcholast-333 and freeipa-jcholast-334 was pushed earlier.
--
David Kupka
More information about the Freeipa-devel
mailing list