On 06/29/2016 02:17 PM, Stanislav Laznicka wrote:
> On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> This patch fixes ipa-server-certinstall when used with 3rd-party certs.
>> The scenario is the following:
>> - install the server with an embedded CA
>> - use ipa-cacert-manage to install a 3rd party CA
>> - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS 
>> databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and 
>> /etc/dirsrv/slapd-XXX)
>> - use ipa-server-certinstall to replace the Directory/Apache server 
>> certificates with a cert signed by the 3rd party CA.
>>
>> Note that I had to run ipa-certupdate after putting selinux mode to 
>> permissive 
>> (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz 
>> has 
>> been opened against selinux-policy to solve this issue.
>>
>> https://fedorahosted.org/freeipa/ticket/4785
>> https://fedorahosted.org/freeipa/ticket/4786
>>
>>
> Hello,
> 
> The patch works as expected with the selinux requirement you mentioned. I 
> will 
> just add Honza for code sanity check. Therefore conditional ACK if the code 
> can 
> take no further improvements.
> 
> Standa
> 
> 

Pushed to master: 025cfd911bce6214ef2b4311b16c5b6df6ad173a

According to Honza, it doesn't solve all corner cases. This can be fixed
in a future. Honza, please open a ticket with the corner cases when you
have time.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to