On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote:
Hi,
This patch fixes ipa-server-certinstall when used with 3rd-party certs.
The scenario is the following:
- install the server with an embedded CA
- use ipa-cacert-manage to install a 3rd party CA
- use ipa-certupdate to put the 3rd party CA cert in the relevant NSS
databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias
and /etc/dirsrv/slapd-XXX)
- use ipa-server-certinstall to replace the Directory/Apache server
certificates with a cert signed by the 3rd party CA.
Note that I had to run ipa-certupdate after putting selinux mode to
permissive (otherwise the cert does not get into
/etc/pki/pki-tomcat/alias) and a bz has been opened against
selinux-policy to solve this issue.
https://fedorahosted.org/freeipa/ticket/4785
https://fedorahosted.org/freeipa/ticket/4786
Hello,
The patch works as expected with the selinux requirement you mentioned.
I will just add Honza for code sanity check. Therefore conditional ACK
if the code can take no further improvements.
Standa
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
