On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote:
On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
Not sure why tomcat is more resilient when launched as root, but the pki seems to work ok at issuing certs after the above and a reboot for good measure.
This sounds like there are broken permissions in the current Ubuntu packages. You should be aware that last time I checked, FreeIPA on Ubuntu was subtly yet severely broken, mostly due to the NSS libs missing PEM support, which will stop your CA from renewing, amongst other things.
I'd like to get a bug filed for each issue you find. For instance that upgrade thing should already be fixed but sounds like it isn't?
And yes, not being able to package nss-pem does mean the CA is less than useful. Maybe I should try to gently force the libnss maintainer to ship the needed (static) libs to be able to finish packaging nss-pem..
Does anyone know what the state of packaging for deb distros is currently? Now that the OpenSSL migration is complete(?), the barriers to functional packages should be removed, but it looks like that only happened in 4.5, and it appears only 4.4 is packaged, which is likely still broken?
Freeipa is/was stuck at 4.4 because getting bind9 9.11 in the archive took a year. That's now fixed, and I'm working on 4.6.x. But I need to update the whole stack, so right now I'm stuck with Dogtag 10.5.3 not building because it needed a newer (and patched) ldapjdk. Uploaded it today but it won't build before the (Debian) archive is otherwise untangled.
Anyway, for Ubuntu 18.04 I might be forced to drop support for the CA altogether, as it looks like Dogtag won't get fixed to support Tomcat 8.5 and RESTEasy 3.1 (and maybe others I haven't found out about yet) in time. Oh and I need to package the JBOSS version of jaxrs-api too, since the current alternative broke things when it got updated.. fun times ahead, as always.
t