[freeipa PR#1232][opened] Making ipa-ca-install more resilient
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/1232
Author: frasertweedale
Title: #1232: Making ipa-ca-install more resilient
Action: opened
PR body:
"""
, or: *Proactively run ipa-certupdate for great good!*
These commits fix a couple of issues that can occur after a deployment has been
promoted from CA-less to CA-ful, and the admin does not follow up with
`ipa-certupdate`. (And why should they have to?)
```
a9ad3b5ab (Fraser Tweedale, 6 days ago)
Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using ipa-ca-install),
the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA framework
and Dogtag (it cannot verify the Dogtag server certificate).
Perform a CertUpdate as the final step when promoting a CA-less deployment
to CA-ful.
Fixes: https://pagure.io/freeipa/issue/7230
21fbf7088 (Fraser Tweedale, 7 days ago)
ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that the
relevant CA cert is present. This is necessary if the admin has just
promoted the topology from CA-less to CA-ful but didn't manually run
ipa-certupdate afterwards.
Fixes: https://pagure.io/freeipa/issue/6577
9520781fb (Fraser Tweedale, 7 days ago)
CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other programs
(e.g. as a first step of ipa-ca-install). Refactor
ipa_certupdate.CertUpdate to make it easy to do that. In particular, make
it possible to use an already-initialised API object.
Part of: https://pagure.io/freeipa/issue/6577
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1232/head:pr1232
git checkout pr1232
6 years, 4 months
[freeipa PR#1347][opened] Prevent set_directive from clobbering other keys
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/1347
Author: frasertweedale
Title: #1347: Prevent set_directive from clobbering other keys
Action: opened
PR body:
"""
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
-----
Cause: corner case.
How to test:
1. ensure `ca.sslserver.certreq=<base64 CSR>` exists in `ca/CS.cfg`.
2. resubmit Certmonger tracking request for `Server-Cert cert-pki-ca` Dogtag system cert.
3. verify that `ca.sslserver.certreq=<base64 CSR>` still exists in `ca/CS.cfg`.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1347/head:pr1347
git checkout pr1347
6 years, 4 months