freeipa.git/ipaserver/install/server, branch fix_ber_scanf FreeIPA patches Add container environment check to replicainstall 2019-09-16T07:44:52+00:00 Tibor Dudlák tdudlak@redhat.com 2019-09-10T16:54:53+00:00 f1e20b45c5deeb25989c87a2d717bda5a31bb084 Inside the container environment master's IP address does not resolve to its name. Resolves: https://pagure.io/freeipa/issue/6210 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Move ipachangeconf from ipaclient.install to ipapython 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:05+00:00 e5af8c19a9e40fb3b96c56ace081f79980437fc2 This will let us call it from ipaplatform. Mark the original location as deprecated. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix ca_initialize_hsm_state 2019-08-21T09:48:36+00:00 Christian Heimes cheimes@redhat.com 2019-08-20T14:58:14+00:00 bebe09f3e4ddcc1332395aaa6b662fa4580d8304 Fixup for commit eb2313920e20bb4a74fc0abc52c496ccf2822dab. configparser's set() method does not convert boolean to string automatically. Use string '"False"', which is then interpreted as boolean 'False' by getboolean(). Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Fixup for commit eb2313920e20bb4a74fc0abc52c496ccf2822dab.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Store HSM token and state 2019-08-19T07:56:08+00:00 Christian Heimes cheimes@redhat.com 2019-08-16T12:34:16+00:00 076d955b9373ad8603f3885ea6841d367f866327 The HSM state is stored in fstore, so that CA and KRA installer use the correct token names for internal certificates. The default token is "internal", meaning the keys are stored in a NSSDB as usual. Related: https://pagure.io/freeipa/issue/5608 Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson@polisen.se> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.

Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson@polisen.se>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-06-27T01:48:53+00:00 bb779baadf0df3333bd853599a21e81907c8c116 Replace renewal CA and profile name literals with corresponding symbols from ipalib.constants. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cainstance: add profile to IPA RA tracking request 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-06-27T01:27:02+00:00 1bf008a64f15e617b0dde93555f5dca1cbdf990a Profile-based renewal means we should always explicitly specify the profile in tracking requests that use the dogtag-ipa-ca-renew-agent renewal helper. This includes the IPA RA agent certificate. Update CAInstance.configure_agent_renewal() to add the profile to the tracking request. This also covers the upgrade scenario (because the same method gets invoked). Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper.  This includes the IPA RA agent certificate.  Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request.  This also covers the upgrade scenario (because
the same method gets invoked).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
upgrade: fix spurious certmonger re-tracking 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-06-27T01:08:58+00:00 fa5675582caef6d0708c8ae392e170b44d9daf5b The search for the HTTP Certmonger tracking request uses an incorrect parameter ('key-storage'), triggering removal and recreation of tracking requests on every upgrade. Replace 'key-storage' with the correct parameter, 'key-file'. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade.  Replace
'key-storage' with the correct parameter, 'key-file'.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
upgrade: log missing/misconfigured tracking requests 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-06-26T23:46:59+00:00 2d22f568a1043b0cb0b69314d3951d39721becc7 For better diagnostics during upgrade, log the Certmonger tracking requests that were not found (either because they do not exist, or do not have the expected configuration). Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
upgrade: update KRA tracking requests 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-06-26T04:08:48+00:00 482866e47e20520fbe39ef05439badbb3069bef6 The upgrade routine checks tracking requests for CA system certificates, IPA RA and HTTP/LDAP/KDC service certificates. If a tracking request matching our expectations is not found, we stop tracking all certificates, then create new tracking requests with the correct configuration. But the KRA was left out. Add checks for KRA certificates, and remove/recreate KRA tracking requests when appropriate. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates.  If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.

But the KRA was left out.  Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>