On 05/29/2015 11:21 AM, Martin Basti wrote:
On 29/05/15 06:17, Fraser Tweedale wrote:
On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
On 28/05/15 11:48, Martin Basti wrote:
On 27/05/15 16:04, Fraser Tweedale wrote:
Hello all,

Fresh certificate management patchset; Changelog:

- Now depends on patch freeipa-ftweedal-0014 for correct
cert-request behaviour with host and service principals.

- Updated Dogtag dependency to 10.2.4-1.  Should should be in
f22 soon, but for f22 right now or for f21, please grab from my
copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/

   Martin^1 could you please add to the quasi-official freeipa
   copr?  SRPM lives at

- cert-request now verifies that for user principals, CSR CN
matches uid and, DN emailAddress and SAN rfc822Name match user's
email address, if either of those is present.

- Fixed one or two other sneaky little bugs.

On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
Hi all,

Please find attached the latest certificate management
patchset, which introduces the `caacl' plugin and various fixes
and improvement to earlier patches.

One important change to earlier patches is reverting the name
of the default profile to 'caIPAserviceCert' and using the
existing instance of this profile on upgrade (but not install)
in case it has been modified.

Other notes:

- Still have changes in ipa-server-install (fewer lines now,

- Still have the ugly import hack.  It is not a high priority
for me, i.e. I think it should wait until after alpha

- Still need to update 'service' and 'host' plugins to support
multiple certificates.  (The userCertificate attribute schema
itself is multi-valued, so there are no schema issues here)

- The TODOs in [1]; mostly certprofile CLI conveniences and
supporting multiple profiles for hosts and services (which
requires changes to framework only, not schema).  [1]:

Happy reviewing!  I am pleased with the initial cut of the
caacl plugin but I'm sure you will find some things to be fixed

Cheers, Fraser
[root@vm-093 ~]#  ipa-replica-prepare vm-094.example.com
--ip-address Directory Manager (existing master)

Preparing replica for vm-094.example.com from vm-093.example.com
Creating SSL certificate for the Directory Server not well-formed
(invalid token): line 2, column 14

I cannot create replica file.  It work on the upgraded server,
but it doesn't work on the newly installed server.  I'm not sure
if this causes your patches which modifies the ca-installer, or
the newer version of dogtag.

Or if there was any other changes in master, I will continue to
investigate with new RPM from master branch.


ipa-replica-prepare works for: * master branch * master branch +
pki-ca 10.2.4-1

So something in your patches is breaking it


Martin, master + my patches with pki 10.2.4-1 is working for me on
f21 and f22.  Can you provide ipa-replica-prepare --debug output and
Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )

I can not reproduce it today. And I already recycled the VMs from yesterday. :-(

In that case I would suggest ACKing&pushing the patch and fixing the bug if it comes again. The tree may now be a bit unstable, given the number of patches going in.

My main motivation here is to unblock Fraser.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to