On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote:
This patch fixes ipa-server-certinstall when used with 3rd-party certs.
The scenario is the following:
- install the server with an embedded CA
- use ipa-cacert-manage to install a 3rd party CA
- use ipa-certupdate to put the 3rd party CA cert in the relevant NSS
databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias
- use ipa-server-certinstall to replace the Directory/Apache server
certificates with a cert signed by the 3rd party CA.
Note that I had to run ipa-certupdate after putting selinux mode to
permissive (otherwise the cert does not get into
/etc/pki/pki-tomcat/alias) and a bz has been opened against
selinux-policy to solve this issue.
The patch works as expected with the selinux requirement you mentioned.
I will just add Honza for code sanity check. Therefore conditional ACK
if the code can take no further improvements.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code