Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 11/18/2013 01:54 PM, Tomas Babej wrote: On 11/15/2013 03:36 PM, Rob Crittenden wrote: Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 11/20/2013 12:59 PM, Ana Krivokapic wrote: On 11/18/2013 01:54 PM, Tomas Babej wrote: [...] Updated patch attached. Looks good, ACK. Pushed to master: 4a0e91449e2b65304ae8d660d1a480200b1a13d3 -- Petr³ ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 11/15/2013 03:36 PM, Rob Crittenden wrote: Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work:

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However,

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is

[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

Hi, During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 -- Tomas

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

Hi, On 24.9.2013 12:03, Tomas Babej wrote: Hi, During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box.

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: