On 07/23/2012 10:03 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Andrew Wnuk wrote:
On 07/16/2012 01:35 PM, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
Use the new certmonger capability to be able to renew the dogtag
subsystem certificates (audit, OCSP, etc).

Are the copies of the certificates in the pki-ca CS.cfg file being
updated elsewhere?  Or is it not turning out to be a problem if they

I didn't test validating OCSP signatures but the audit subsystem
seemed fine (it complained wildly when I had the wrong trust in the
NSS db).

Andrew, do I need to update CS.cfg as well?

Yes, you may need update CS.cfg too.

Ok, added a bit to update CS.cfg with the new certificate.

This should fix some SELinux issues preventing certmonger from
monitoring the dogtag certificate database in /var/lib/pki-ca/alias.


I don't know enough about dogtag/certmonger to comment on the functionality, but there are minor issues I can find. Attaching a patch to fix them.

`make rpms` fails:

rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
error: %changelog not in descending chronological order
make: *** [rpms] Error 1

`git am` complains:

Applying: Use certmonger to renew CA subsystem certificates
/home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at EOF.
/home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at EOF.
warning: 2 lines add whitespace errors.

From 047a1f7dc78c632b7f9882ab21f1fe5dc82fb006 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 24 Jul 2012 04:43:28 -0400
Subject: [PATCH] fixes for rcrit-1033-03

 freeipa.spec.in                                |    2 +-
 install/share/default-aci.ldif                 |    1 -
 install/updates/21-ca_renewal_container.update |    1 -
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ce6c21aa3d9a6d92f6125e36905df5d3cf7b1a74..002a70a4385a502edc0c99b9b56ebbe02ef392ad 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -745,7 +745,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
-* Fri Jul  6 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-39
+* Tue Jul 24 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-39
 - Set minimum certmonger to 0.58 for dogtag cert renewal
 * Wed Jul 18 2012 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-38
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 2fc04f667d3abe3a831c7d116c130c903f8e5106..6199ae5a68f648ca4e9fa6ded8083e5dcc07cb78 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -96,4 +96,3 @@ dn: cn=ipa,cn=etc,$SUFFIX
 changetype: modify
 add: aci
 aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX";)(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "host/$FQDN@$REALM";)
diff --git a/install/updates/21-ca_renewal_container.update b/install/updates/21-ca_renewal_container.update
index edb8f3e37bf8f6dee191782b8b2519f198fb3cd1..50b92d73d8af75cbc782769c45b6c439b07bbb2d 100644
--- a/install/updates/21-ca_renewal_container.update
+++ b/install/updates/21-ca_renewal_container.update
@@ -6,4 +6,3 @@ dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
 add:objectClass: top
 add:objectClass: nsContainer
 add:cn: ca_renewal

Freeipa-devel mailing list

Reply via email to