summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2014-12-02 13:18:36 -0500
committerRob Crittenden <rcritten@redhat.com>2013-01-29 11:16:38 -0500
commit045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch)
treeba63a832f67c4c9a8ceee62669b52dd37a853680 /install/updates
parentb382a77fc393a078ebbba8000284dd9abe75a3d5 (diff)
downloadfreeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz
freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz
freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'install/updates')
0 files changed, 0 insertions, 0 deletions