Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

Wed, 20 Jan 2016 01:07:42 -0800 

On 20.1.2016 10:05, Petr Spacek wrote:

On 19.1.2016 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
     post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that Server-Cert for
DS and HTTPD are not handled by certificate_renewal_update
(ipaserver.install.server.upgrade) where all the other trackings are stopped
and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already
updated.


LOL, one more reason to centralize the certificate madness to one place? :-)


Definitely!

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to