On 12.3.2014 19:59, Petr Viktorin wrote:
On 03/10/2014 01:03 PM, Jan Cholasta wrote:
On 17.10.2013 18:59, Jan Cholasta wrote:
On 17.10.2013 18:01, Petr Viktorin wrote:
On 10/17/2013 02:21 PM, Jan Cholasta wrote:

this patchset contains refactoring of the certificate renewal code,
which will be the base for CA certificate renewal.

The biggest change is a new certmonger CA helper
dogtag-ipa-ca-renew-agent, which replaces
dogtag-ipa-retrieve-agent-submit as well as parts of certmonger
post-commands used in certificate renewal. It provides more
when doing renewals and allows unified certmonger configuration on
CA master and clones.

How to test: Test both CA-ful and CA-less server and replica installs
and upgrades, check that certmonger is configured properly and
certificate renewal works (see
https://fedorahosted.org/freeipa/ticket/2803#comment:17 for details).

Certmonger is not configured/started in CA-less installs.

That's expected.

I tested fresh installs and upgrades; renewals work fine for me.

161-184 look OK

185: one more nitpick:
     cert = entry['usercertificate'][0]
Shouldn't that use entry.single_value?

I did not feel like changing this, because this is used in the original code and the userCertificate LDAP attribute is multi-value.

186-189 look OK

190: Is
     fqdn = entries[0].dn[1].value
     return api.env.host == fqdn
safe? Can they differ in case, for example?

I guess so, will fix.

191-196 look OK

Note that patches 178 & 179 were already pushed. Also, patch 190 was
changed to store information about which CA instance is master in LDAP.

Jan Cholasta

Freeipa-devel mailing list

Reply via email to