[Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
Martin Kosek
mkosek at redhat.com
Wed Nov 5 14:27:24 UTC 2014
On 11/03/2014 04:01 PM, David Kupka wrote:
> On 10/15/2014 04:43 PM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4629>.
>> It depends on my patches 333 and 334, which are also attached.
>>
>> (The original patch was posted at
>> <http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html>.)
>>
>>
>> How to test:
>>
>> 1. install server
>>
>> 2. kinit as admin
>>
>> 3. run "ipa-cacert-manage renew --external-ca", it will produce a CSR
>>
>> 4. sign the CSR with some external CA to get new IPA CA certificate
>>
>> 5. run "while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI
>> 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,<suffix>';
>> done" in background
>>
>> 6. run "ipa-cacert-manage renew --external-cert-file=<path to new IPA
>> CA certificate> --external-cert-file=<path to external CA certificate
>> chain>"
>>
>> 7. stop the loop from step 5
>>
>> 8. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca'", the request should be in MONITORING state, there should
>> be no ca-error
>>
>> Honza
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
> Works for me, ACK.
>
> Please push only the patch freeipa-jcholast-335. Patches freeipa-jcholast-333
> and freeipa-jcholast-334 was pushed earlier.
>
Pushed to:
master: 2cf0f0a658ba3151596e3782c76d6273362080cf
ipa-4-1: 59af17d5e42ee50b000b18f6e420cf26737d055d
Martin
More information about the Freeipa-devel
mailing list