freeipa.git/install/restart_scripts, branch mindatefix FreeIPA patches Update lightweight CA serial after renewal 2016-06-29T06:52:29+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-17T05:11:08+00:00 b720aa94e9317b857734c08a69fe2dcc0d95bf68 For CA replicas to pick up renewed lightweight CA signing certificates, the authoritySerial attribute can be updated with the new serial number. Update the renew_ca_cert script, which is executed by Certmonger after writing a renewed CA certificate to the NSSDB, to update the authoritySerial attribute if the certificate belongs to a lightweight CA. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.

Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
restart scripts: bootstrap api with in_server=True 2016-06-21T06:30:35+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-17T04:18:05+00:00 3edf13cd8ab541908d7e2011a54e31edf1844ea2 renew_ca_cert fails because it cannot access the 'config' plugin. Bootstrap all the restart scripts to avoid such issues. Fixes: https://fedorahosted.org/freeipa/ticket/5968 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
renew_ca_cert fails because it cannot access the 'config' plugin.
Bootstrap all the restart scripts to avoid such issues.

Fixes: https://fedorahosted.org/freeipa/ticket/5968
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move freeipa certmonger helpers to libexecdir. 2016-02-26T07:29:44+00:00 Timo Aaltonen tjaalton@ubuntu.com 2016-02-23T11:10:34+00:00 872d5903d0d278914d740575b4ef92fa75c44a45 The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com> 
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).

https://fedorahosted.org/freeipa/ticket/5586

Reviewed-By: David Kupka <dkupka@redhat.com>
cert renewal: import all external CA certs on IPA CA cert renewal 2016-01-27T13:38:10+00:00 Jan Cholasta jcholast@redhat.com 2016-01-21T07:58:56+00:00 eaafeddf769c25bd44b490ae18ffb58e97df4963 Import all external CA certs to the Dogtag NSS database on IPA CA cert renewal. This fixes Dogtag not being able to connect to DS which uses 3rd party server cert after ipa-certupdate. https://fedorahosted.org/freeipa/ticket/5595 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.

https://fedorahosted.org/freeipa/ticket/5595

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Remove unused imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T15:06:03+00:00 e4075b1fe26a608cd1f3778ee1f655a5f5700c65 This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
install: drop support for Dogtag 9 2015-11-25T08:12:25+00:00 Jan Cholasta jcholast@redhat.com 2015-11-09T17:28:47+00:00 aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com> 
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
cert renewal: make renewal of ipaCert atomic 2015-11-19T12:06:12+00:00 Jan Cholasta jcholast@redhat.com 2015-11-09T09:53:02+00:00 f3076c6ab37e081ba9b0ec9f0502379f60dfbd10 This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com> 
This prevents errors when renewing other certificates during the renewal of
ipaCert.

https://fedorahosted.org/freeipa/ticket/5436

Reviewed-By: David Kupka <dkupka@redhat.com>
install: always export KRA agent PEM file 2015-10-08T11:42:58+00:00 Jan Cholasta jcholast@redhat.com 2015-09-16T07:05:20+00:00 b035a2a11442c190dc68d9e653b98ef396332c8e Export the file even when KRA is not installed locally so that vault commands work on all IPA replicas. https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Export the file even when KRA is not installed locally so that vault commands
work on all IPA replicas.

https://fedorahosted.org/freeipa/ticket/5302

Reviewed-By: Martin Basti <mbasti@redhat.com>
install: fix KRA agent PEM file permissions 2015-10-08T11:41:08+00:00 Jan Cholasta jcholast@redhat.com 2015-09-21T06:32:04+00:00 110e85cc74051b02556ca2c43176c9ded40e75aa This fixes CVE-2015-5284. https://fedorahosted.org/freeipa/ticket/5347 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This fixes CVE-2015-5284.

https://fedorahosted.org/freeipa/ticket/5347

Reviewed-By: Martin Basti <mbasti@redhat.com>
cert renewal: Automatically update KRA agent PEM file 2015-08-27T13:53:42+00:00 Jan Cholasta jcholast@redhat.com 2015-08-27T05:37:24+00:00 e9a76c3d126367f72e353919ecbff45bed3abaaf https://fedorahosted.org/freeipa/ticket/5253 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5253

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>