[Freeipa-users] Dogtag certs did not auto-renew, very stuck!
Martin Basti
mbasti at redhat.com
Thu Feb 23 09:27:37 UTC 2017
On 23.02.2017 10:21, Timo Aaltonen wrote:
> On 23.02.2017 02:04, Peter Fern wrote:
>> On 23/02/17 05:26, Rob Crittenden wrote:
>>> It's been many moons since I worked on nss-pem but from what I can tell
>>> it should be buildable outside of NSS so can ship as a separate package.
>>> You might try building it locally to see if it resolves the issues for
>>> you. It resides at https://github.com/kdudka/nss-pem
>> I had to modify an include path, and it links against some static libs
>> (libfreebl.a, libnssb.a, libnssckfw.a) that are not included in the
>> current Debian libnss3 packages, so a non-trivial packaging effort. And
>> because certmonger appears to use nss directly, linking against a
>> different libcurl variant is also probably not an option.
>>
>> There are other issues too - the default cert store path of
>> /etc/httpd/alias is still used in the deb package, however the correct
>> path is /etc/apache2/nssdb.
> Good stuff, neatly hardcoded in src/dogtag.c. Thanks for pointing this
> out, I'll get that fixed at least..
>
> And as you noticed, packaging nss-pem is not a trivial task because of
> the way it uses private NSS api's that the libnss maintainer refuses to
> make public.. OpenSSL, anyone? :P
>
We are working on it :) in future IPA may need only openssl
More information about the Freeipa-users
mailing list