On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote:
> On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
>> Not sure why tomcat is more resilient when launched as root, but the
>> pki seems to work ok at issuing certs after the above and a reboot for
>> good measure.
>
> This sounds like there are broken permissions in the current Ubuntu
> packages. You should be aware that last time I checked, FreeIPA on
> Ubuntu was subtly yet severely broken, mostly due to the NSS libs
> missing PEM support, which will stop your CA from renewing, amongst
> other things.
I'd like to get a bug filed for each issue you find. For instance that
upgrade thing should already be fixed but sounds like it isn't?
And yes, not being able to package nss-pem does mean the CA is less than
useful. Maybe I should try to gently force the libnss maintainer to ship
the needed (static) libs to be able to finish packaging nss-pem..
> Does anyone know what the state of packaging for deb distros is
> currently? Now that the OpenSSL migration is complete(?), the barriers
> to functional packages should be removed, but it looks like that only
> happened in 4.5, and it appears only 4.4 is packaged, which is likely
> still broken?
Freeipa is/was stuck at 4.4 because getting bind9 9.11 in the archive
took a year. That's now fixed, and I'm working on 4.6.x. But I need to
update the whole stack, so right now I'm stuck with Dogtag 10.5.3 not
building because it needed a newer (and patched) ldapjdk. Uploaded it
today but it won't build before the (Debian) archive is otherwise untangled.
Anyway, for Ubuntu 18.04 I might be forced to drop support for the CA
altogether, as it looks like Dogtag won't get fixed to support Tomcat
8.5 and RESTEasy 3.1 (and maybe others I haven't found out about yet) in
time. Oh and I need to package the JBOSS version of jaxrs-api too, since
the current alternative broke things when it got updated.. fun times
ahead, as always.
t
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org