summaryrefslogtreecommitdiffstats
path: root/ipalib/install/certmonger.py
Commit message (Collapse)AuthorAgeFilesLines
* Refactor certmonger for OpenSSL certificatesStanislav Laznicka2017-03-011-75/+79
| | | | | | | | | | Currently, it was only possible to request an NSS certificate via certmonger. Merged start_tracking methods and refactored them to allow for OpenSSL certificates tracking. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Workaround for certmonger's "Subject" representationsStanislav Laznicka2017-03-011-0/+5
| | | | | | | | | | | | | | | | If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-15/+28
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Increase the timeout waiting for certificate issuance in installerFlorence Blanc-Renaud2016-12-071-1/+2
| | | | | | | | | | | | | During the server installation, the installer requests certificates through certmonger. The current timeout is 60s and is too low. Increase this timeout to api.env.startup_timeout as done in ipa_cacert_manage or ipa_certupdate.py (the code checks the status each 5s up to the timeout value). https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Check the result of cert request in replica installerFlorence Blanc-Renaud2016-11-301-1/+2
| | | | | | | | | | | | | | | | | | | | | | When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* ipapython: move certmonger and sysrestore to ipalib.installJan Cholasta2016-11-291-0/+611
The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 14:29:25 +0000