[freeipa PR#5199][opened] Change KRA profiles in certmonger tracking so they can renew
by rcritten
URL: https://github.com/freeipa/freeipa/pull/5199
Author: rcritten
Title: #5199: Change KRA profiles in certmonger tracking so they can renew
Action: opened
PR body:
"""
Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.
dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.
There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
**NOTE**: This is WIP because the necessary profile is only in the pki nightly repo. We want this backported to other supported IPA branches but they may be delayed depending on when pki builds are available.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5199/head:pr5199
git checkout pr5199
3 years, 4 months
[freeipa PR#5292][opened] Always define the path DNSSEC_OPENSSL_CONF
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/5292
Author: flo-renaud
Title: #5292: Always define the path DNSSEC_OPENSSL_CONF
Action: opened
PR body:
"""
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.
ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.
Fixes: https://pagure.io/freeipa/issue/8597
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5292/head:pr5292
git checkout pr5292
3 years, 4 months