On 13 December 2017 at 23:29, Timo Aaltonen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote:
On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
Not sure why tomcat is more resilient when launched as root, but the pki seems to work ok at issuing certs after the above and a reboot for good measure.
This sounds like there are broken permissions in the current Ubuntu packages. You should be aware that last time I checked, FreeIPA on Ubuntu was subtly yet severely broken, mostly due to the NSS libs missing PEM support, which will stop your CA from renewing, amongst other things.
I'd like to get a bug filed for each issue you find. For instance that upgrade thing should already be fixed but sounds like it isn't?
It's absolutely possible that the state of my upgrade didn't take in or countered your fixes due to my hacking around issues that reared their heads during the initial 17.04 install i upgraded from. Now that I'm upgraded it's a little harder to find out, but will see if I have any backups hanging around from the before upgrade state.
And yes, not being able to package nss-pem does mean the CA is less than useful. Maybe I should try to gently force the libnss maintainer to ship the needed (static) libs to be able to finish packaging nss-pem..
Does anyone know what the state of packaging for deb distros is currently? Now that the OpenSSL migration is complete(?), the barriers to functional packages should be removed, but it looks like that only happened in 4.5, and it appears only 4.4 is packaged, which is likely still broken?
Freeipa is/was stuck at 4.4 because getting bind9 9.11 in the archive took a year. That's now fixed, and I'm working on 4.6.x. But I need to update the whole stack, so right now I'm stuck with Dogtag 10.5.3 not building because it needed a newer (and patched) ldapjdk. Uploaded it today but it won't build before the (Debian) archive is otherwise untangled.
Anyway, for Ubuntu 18.04 I might be forced to drop support for the CA altogether, as it looks like Dogtag won't get fixed to support Tomcat 8.5 and RESTEasy 3.1 (and maybe others I haven't found out about yet) in time. Oh and I need to package the JBOSS version of jaxrs-api too, since the current alternative broke things when it got updated.. fun times ahead, as always.
Oh crikey, that sounds like as much fun as pulling teeth.
I can hold out a bit longer on the (as far as I can tell), very functional 17.10 install. Will make a call on it nearer the 18.04 time, but might make the jump to Fedora or the Docker based installs if things aren't looking good for the state of Ubuntu by then..
Thanks for the taking the time to explain the state of affairs. Appreciate your work as ever.
David
t
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org