On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote:
On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
> Not sure why tomcat is more resilient when launched as root, but the
> pki seems to work ok at issuing certs after the above and a reboot for
> good measure.
This sounds like there are broken permissions in the current Ubuntu
packages. You should be aware that last time I checked, FreeIPA on
Ubuntu was subtly yet severely broken, mostly due to the NSS libs
missing PEM support, which will stop your CA from renewing, amongst
other things.
I'd like to get a bug filed for each issue you find. For instance that
upgrade thing should already be fixed but sounds like it isn't?
And yes, not being able to package nss-pem does mean the CA is less than
useful. Maybe I should try to gently force the libnss maintainer to ship
the needed (static) libs to be able to finish packaging nss-pem..
Does anyone know what the state of packaging for deb distros is
currently? Now that the OpenSSL migration is complete(?), the barriers
to functional packages should be removed, but it looks like that only
happened in 4.5, and it appears only 4.4 is packaged, which is likely
still broken?
Freeipa is/was stuck at 4.4 because getting bind9 9.11 in the archive
took a year. That's now fixed, and I'm working on 4.6.x. But I need to
update the whole stack, so right now I'm stuck with Dogtag 10.5.3 not
building because it needed a newer (and patched) ldapjdk. Uploaded it
today but it won't build before the (Debian) archive is otherwise untangled.
Anyway, for Ubuntu 18.04 I might be forced to drop support for the CA
altogether, as it looks like Dogtag won't get fixed to support Tomcat
8.5 and RESTEasy 3.1 (and maybe others I haven't found out about yet) in
time. Oh and I need to package the JBOSS version of jaxrs-api too, since
the current alternative broke things when it got updated.. fun times
ahead, as always.
t