diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-12-02 13:18:36 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-29 11:16:38 -0500 |
commit | 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch) | |
tree | ba63a832f67c4c9a8ceee62669b52dd37a853680 /freeipa.spec.in | |
parent | b382a77fc393a078ebbba8000284dd9abe75a3d5 (diff) | |
download | freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip |
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'freeipa.spec.in')
-rw-r--r-- | freeipa.spec.in | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 189c7b922..d875183e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,7 +112,7 @@ Requires: python-memcached Requires: systemd-units >= 36-3 Requires(pre): systemd-units Requires(post): systemd-units -Requires: selinux-policy >= 3.11.1-60 +Requires: selinux-policy >= 3.11.1-71 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.44 Requires: pki-ca >= 10.0.0-0.54.b3 @@ -769,6 +769,12 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Jan 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.99-13 +- Set certmonger minimum version to 0.65 for NSS locking during + renewal +- Set selinux-policy to 3.11.1-73 so certmonger can run in post + scriptlet + * Thu Jan 24 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.99-12 - Add certmonger condrestart to server post scriptlet - Make certmonger a (pre) Requires on the server subpackage |