Title: #3216: fix LWCA key retrieval on f30
This PR includes fixes for LWCA key retrieval on f30 and fixes for handling of
missing LWCA keys in the ca_find and ca_show commands.
Is is based upon https://github.com/freeipa/freeipa/pull/3210
PR-CI to f30. (This PR revealed the issue on f30; the tests are not passing
hence it has been merged yet.)
f029a6e3b (Fraser Tweedale, 7 hours ago)
ipa-pki-retrieve-key: set KRB5CCNAME
On Fedora 30, for some reason LDAP GSS-API bind now fails in the
ipa-pki-retrieve-key program. The Dogtag keytab credential acquisition
does succeed, but those credentials are not used for the LDAP bind.
Update CustodiaClient to support setting KRB5CCNAME when it creates
credentials. This behaviour is optional and disabled by default (no
behavioural change for other use cases). But enable this behaviour in
ipa-pki-retrieve-key so the Dogtag credentials are used for the LDAP bind.
fff5119cd (Fraser Tweedale, 85 minutes ago)
Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for the
certificate or chain will return 404**. This can occur in normal
operation, and should be a temporary condition. Detect this case and
handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message to the
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print the
warning message, if the expected field is missing from the response, just
ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
b59c49351 (Armando Neto, 2 days ago)
Add Fedora 30 test definitions and bump template version
Signed-off-by: Armando Neto <abiagion(a)redhat.com>
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3216/head:pr3216
git checkout pr3216