On 06/29/2016 02:17 PM, Stanislav Laznicka wrote: > On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote: >> Hi, >> >> This patch fixes ipa-server-certinstall when used with 3rd-party certs. >> The scenario is the following: >> - install the server with an embedded CA >> - use ipa-cacert-manage to install a 3rd party CA >> - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS >> databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and >> /etc/dirsrv/slapd-XXX) >> - use ipa-server-certinstall to replace the Directory/Apache server >> certificates with a cert signed by the 3rd party CA. >> >> Note that I had to run ipa-certupdate after putting selinux mode to >> permissive >> (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz >> has >> been opened against selinux-policy to solve this issue. >> >> https://fedorahosted.org/freeipa/ticket/4785 >> https://fedorahosted.org/freeipa/ticket/4786 >> >> > Hello, > > The patch works as expected with the selinux requirement you mentioned. I > will > just add Honza for code sanity check. Therefore conditional ACK if the code > can > take no further improvements. > > Standa > >
Pushed to master: 025cfd911bce6214ef2b4311b16c5b6df6ad173a According to Honza, it doesn't solve all corner cases. This can be fixed in a future. Honza, please open a ticket with the corner cases when you have time. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
