On Wed, Jun 29, 2016 at 09:30:17AM +0200, Jan Cholasta wrote:
> On 29.6.2016 08:55, Jan Cholasta wrote:
> > On 24.6.2016 08:49, Fraser Tweedale wrote:
> > > On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote:
> > > > Hi,
> > > > 
> > > > On 21.6.2016 08:24, Fraser Tweedale wrote:
> > > > > The attached patches add lightweight CA renewal.  There are two
> > > > > substantive aspects:
> > > > > 
> > > > > 1. The renew_ca_cert updates the serial number in the lightweight
> > > > > CA's entry in the Dogtag database.  This causes CA clones to observe
> > > > > the renewal and update the certs in their own NSSDBs.
> > > > > 
> > > > > 2. The ipa-certupdate command adds Certmonger tracking requests for
> > > > > lightweight CAs (on the renewal master only).
> > > > > 
> > > > > Correct behaviour also depends on my patch 0069 (in-server API for
> > > > > renew_ca_cert script).
> > > > 
> > > > Patch 0072-0074: LGTM
> > > > 
> > > > Patch 0075:
> > > > 
> > > > 1) Lightweight CA certs should be tracked by certmonger on all CA
> > > > servers,
> > > > not just on the renewal master. The behavior should be the same as
> > > > for the
> > > > main CA cert, i.e. the actual renewal is done only on the renewal
> > > > master,
> > > > other CA servers only update their NSS DBs (this is handled in
> > > > dogtag-ipa-ca-renew-agent-submit).
> > > > 
> > > > This is important because CA renewal master can change at any time, and
> > > > without all CA certs being tracked on all CA servers, there is no
> > > > guarantee
> > > > the renewal would happen.
> > > > 
> > > > 2) Since CA clones update their NSS DBs on their own,
> > > > dogtag-ipa-ca-renew-agent should be updated not to put them in
> > > > cn=ca_renewal,cn=ipa,cn=etc.
> > > > 
> > > Thanks for the review, Honza.  Updated patch 0075-2 attached.
> > 
> > Thanks, ACK.
> > 
> > Rebased patch 0072 and pushed to master:
> > 0078e7a9192a940104d8f6621b33d24d814c109b
> > 
> > It would be nice if lightweight CAs known at replica install time were
> > tracked without having to manually run ipa-certupdate after
> > ipa-replica-install. Shall I file a ticket for this, or will you be able
> > to provide a patch before Friday?
> 
> Also, the certs should be untracked on server uninstall.
> 
File the ticket, and I'll try to address by Friday anyways :)

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to