freeipa.git/install/certmonger, branch AD-binds FreeIPA patches Adopted kinit_keytab and kinit_password for kerberos auth 2015-04-20T08:27:35+00:00 Martin Babinsky mbabinsk@redhat.com 2015-03-16T15:43:10+00:00 3d2feac0e416c66ba37eee53ef5b3833c2c3e414 Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Make certificate renewal process synchronized 2015-01-13T18:34:59+00:00 Jan Cholasta jcholast@redhat.com 2015-01-08T09:06:46+00:00 b9ae7690489368ead9f4983d386fa210dc265dfa Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com> 
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
Fix CA certificate renewal syslog alert 2015-01-13T17:48:26+00:00 Jan Cholasta jcholast@redhat.com 2015-01-08T16:01:42+00:00 a63df8f3091992e227fe4654977bb91386ce0491 https://fedorahosted.org/freeipa/ticket/4820 Reviewed-By: David Kupka <dkupka@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4820

Reviewed-By: David Kupka <dkupka@redhat.com>
Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent 2014-12-09T12:16:49+00:00 Jan Cholasta jcholast@redhat.com 2014-12-04T15:34:55+00:00 1f6fff2b5aea7f92e3321870ea59661b127ab50a Always use the full CSR when renewing the IPA CA certificate with Dogtag. The IPA CA certificate may be issued by an external CA, in which case renewal by serial number does not make sense and will fail if the IPA CA was initially installed as a subordinate of an external CA. https://fedorahosted.org/freeipa/ticket/4784 Reviewed-By: David Kupka <dkupka@redhat.com> 
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.

https://fedorahosted.org/freeipa/ticket/4784

Reviewed-By: David Kupka <dkupka@redhat.com>
Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent 2014-12-09T12:06:47+00:00 Jan Cholasta jcholast@redhat.com 2014-12-03T07:43:15+00:00 423c3e8f34d6ae6655c3b82c4e5a18caf1e63a49 Reset profile name after requesting the CA cert from Dogtag to prevent the automatic renewal request from being restarted in subsequent calls. https://fedorahosted.org/freeipa/ticket/4765 Reviewed-By: David Kupka <dkupka@redhat.com> 
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.

https://fedorahosted.org/freeipa/ticket/4765

Reviewed-By: David Kupka <dkupka@redhat.com>
Fix wrong expiration date on renewed IPA CA certificates 2014-11-19T14:25:26+00:00 Jan Cholasta jcholast@redhat.com 2014-11-18T14:01:59+00:00 52b141ca6a257b8f12d9ad2ade812ec1bfebf0d7 The expiration date was always set to the expiration date of the original certificate. https://fedorahosted.org/freeipa/ticket/4717 Reviewed-By: David Kupka <dkupka@redhat.com> 
The expiration date was always set to the expiration date of the original
certificate.

https://fedorahosted.org/freeipa/ticket/4717

Reviewed-By: David Kupka <dkupka@redhat.com>
Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage 2014-11-05T14:26:42+00:00 Jan Cholasta jcholast@redhat.com 2014-10-14T09:26:15+00:00 2cf0f0a658ba3151596e3782c76d6273362080cf This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com> 
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
Do not wait for new CA certificate to appear in LDAP in ipa-certupdate 2014-10-30T09:51:36+00:00 Jan Cholasta jcholast@redhat.com 2014-10-14T09:12:55+00:00 35947c6e103a18c3f81af4b6d3795218a93b3b57 If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com> 
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.

https://fedorahosted.org/freeipa/ticket/4628

Reviewed-By: David Kupka <dkupka@redhat.com>
Handle profile changes in dogtag-ipa-ca-renew-agent 2014-10-29T14:06:05+00:00 Jan Cholasta jcholast@redhat.com 2014-10-14T08:30:07+00:00 a649a84a1bd7eb3c727fdcfc341b326a19b0ee5a To update the CA certificate in the Dogtag NSS database, the "ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one. When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request. Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed. https://fedorahosted.org/freeipa/ticket/4627 Reviewed-By: David Kupka <dkupka@redhat.com> 
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627

Reviewed-By: David Kupka <dkupka@redhat.com>
Check that renewed certificates coming from LDAP are actually renewed. 2014-07-30T14:04:21+00:00 Jan Cholasta jcholast@redhat.com 2014-04-14T10:13:12+00:00 61159b7ff2b92d40bad3a6084a249f5c51b07a48 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>