freeipa.git/install/certmonger, branch cakeysfix FreeIPA patches renew agent, restart scripts: connect to LDAP after kinit 2017-04-07T16:53:15+00:00 Jan Cholasta jcholast@redhat.com 2017-04-07T05:51:01+00:00 a6a89e24147d8542fd09cf64e04982599b79e3cc Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
renew agent: revert to host keytab authentication 2017-04-07T16:53:15+00:00 Jan Cholasta jcholast@redhat.com 2017-04-07T05:46:58+00:00 3884a671cb59c360fae67884755fa5779053107a Fixes an issue where the renew agent uses GSSAPI for LDAP connection but fails because it is not authenticated. This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.

This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function 2017-03-28T07:01:37+00:00 Florence Blanc-Renaud flo@redhat.com 2017-03-24T10:02:33+00:00 e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit behaves differently depending on the certificate it needs to renew. For instance, some certificates (such as IPA RA) are the same on all the hosts and the renewal is actually done only on the renewal master. On other nodes, the new cert is downloaded from LDAP. The function is_replicated() is returning the opposite as what it should. If the cert nickname is IPA RA, it should return that the cert is replicated but it doesn't, and this leads to a wrong code path to renew the cert. https://pagure.io/freeipa/issue/6813 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
dogtag-ipa-ca-renew-agent-submit behaves differently depending on the
certificate it needs to renew. For instance, some certificates (such as IPA RA)
are the same on all the hosts and the renewal is actually done only on
the renewal master. On other nodes, the new cert is downloaded from LDAP.

The function is_replicated() is returning the opposite as what it should. If
the cert nickname is IPA RA, it should return that the cert is replicated but
it doesn't, and this leads to a wrong code path to renew the cert.

https://pagure.io/freeipa/issue/6813

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Moving ipaCert from HTTPD_ALIAS_DIR 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-13T08:08:42+00:00 5ab85b365ae886558b1f077b0d039a0d24bebfa7 The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Workaround for certmonger's "Subject" representations 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-27T07:58:00+00:00 595f9b64e31dc9e4f035119e834db7e6cb152dce If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 d124e307f3b7d88bca53784f030ed6043b224432 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
renew agent: handle non-replicated certificates 2017-01-16T13:37:25+00:00 Jan Cholasta jcholast@redhat.com 2017-01-06T09:45:38+00:00 d5af11f65cc2a2d6860579a63a173b67cb12bcf3 In addition to replicated certificates (Dogtag certificates, RA certificate), handle non-replicated certificates in dogtag-ipa-ca-renew-agent as well. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16T08:12:07+00:00 Petr Spacek pspacek@redhat.com 2016-11-11T13:37:18+00:00 d5683726d290b71eb44ab3b3150381f062e74df1 Automake manual section 13 What Gets Cleaned says that make maintainer-clean should not remove files necessary for subsequent runs of ./configure. It practically means that all usage of MAINTAINERCLEANFILES were incorrect so I've removed them. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor installer code requesting certificates 2016-11-10T13:15:57+00:00 Florence Blanc-Renaud flo@redhat.com 2016-10-25T06:49:10+00:00 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f - Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA agent cert, using the temp cert created during pkispawn. The cert request is now processed through certmonger, and the helper arguments are restored once the agent cert is obtained. - Modify the installer code creating HTTP and LDAP certificates to use certmonger's IPA helper with temporary parameters (calling dogtag-submit instead of ipa-submit) - Clean-up for the integration tests: sometimes ipa renewal.lock is not released during ipa-server-uninstall. Make sure that the file is removed to allow future installations. https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>