[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs

2017-08-02 Thread Fraser Tweedale via FreeIPA-devel
On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote: > Petr Vobornik via FreeIPA-devel wrote: > > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale wrote: > >> Hi devs, > >> > >> This is at least the second time recently that people needing to > >> renew service

[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs

2017-08-01 Thread Fraser Tweedale via FreeIPA-devel
Hi devs, This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess. Clearly we have a usability problem here. The ipa-cacert-manage(1) man page is

[Freeipa-devel] [DESIGN] Certificate profile update mechanism

2017-07-07 Thread Fraser Tweedale via FreeIPA-devel
Hi all, I've published a draft design for the profile update mechanism. This feature is to ensure that we can safely update included profiles even when we use Dogtag profile components only available in new versions. https://www.freeipa.org/page/V4/Certificate_profile_update_mechanism

[Freeipa-devel] Re: [DESIGN] Certificate profile update mechanism

2017-07-10 Thread Fraser Tweedale via FreeIPA-devel
upport. > > > > The other option is to tie the dogtag profiles version to the domain > > level as well, and only ever use new ones when the whole domain level > > is upped. This is conditional on newer versions of dogtag being able to > > use older profile versions wi

[Freeipa-devel] [RFC] Static type checking for FreeIPA (Mypy)

2017-08-08 Thread Fraser Tweedale via FreeIPA-devel
Hi team, At PyCon Australia on the weekend I was reminded of PEP-484 type hinting** and the Mypy type checker for Python. With focus of FreeIPA project shifting more towards stability, quality and maintainability, and with Python 3 porting work nearly wrapped up, now is the time to think about

[Freeipa-devel] Re: [RFC] Static type checking for FreeIPA (Mypy)

2017-08-09 Thread Fraser Tweedale via FreeIPA-devel
On Wed, Aug 09, 2017 at 10:18:33AM +0200, Christian Heimes via FreeIPA-devel wrote: > On 2017-08-08 08:04, Fraser Tweedale via FreeIPA-devel wrote: > > Hi team, > > > > At PyCon Australia on the weekend I was reminded of PEP-484 type > > hinting** and the M

[Freeipa-devel] Re: add Dogtag 10.4 builds to FreeIPA COPRs

2017-06-08 Thread Fraser Tweedale via FreeIPA-devel
On Thu, Jun 08, 2017 at 05:13:43PM +0200, Martin Bašti wrote: > > > On 08.06.2017 09:08, Martin Bašti via FreeIPA-devel wrote: > > > > > > On 08.06.2017 02:43, Fraser Tweedale via FreeIPA-devel wrote: > > > My PR https://github.com/freeipa/freeipa/pull/859

[Freeipa-devel] Re: add Dogtag 10.4 builds to FreeIPA COPRs

2017-06-09 Thread Fraser Tweedale via FreeIPA-devel
On Fri, Jun 09, 2017 at 10:25:34AM +0200, Martin Bašti wrote: > > > On 09.06.2017 05:46, Fraser Tweedale via FreeIPA-devel wrote: > > On Thu, Jun 08, 2017 at 05:13:43PM +0200, Martin Bašti wrote: > > > > > > On 08.06.2017 09:08, Mar

[Freeipa-devel] add Dogtag 10.4 builds to FreeIPA COPRs

2017-06-07 Thread Fraser Tweedale via FreeIPA-devel
My PR https://github.com/freeipa/freeipa/pull/859 bumps the pki-core dependency to >= 10.4. This patch is intended for master and 4.5 branches. Could someone with the needed permissions please add pki-core 10.4 builds for f25 and f26 to the @freeipa/freeipa-master and @freeipa/freeipa-4.5 COPRs?

[Freeipa-devel] freeipa-master COPR: add certmonger-0.79.5

2017-09-20 Thread Fraser Tweedale via FreeIPA-devel
Hi, Could someone with the relevant permissions please add certmonger-0.79.5-1[1] to the freeipa-master COPR for f26? It is needed for testing PR 930[2] and so I can amend the PR to bump the min version of certmonger in the spec file. [1]

[Freeipa-devel] pytest_multihost problems on f27

2017-09-20 Thread Fraser Tweedale via FreeIPA-devel
Just a heads up that running tests on f27 is a bit of a problem right now, due to a bug in paramiko that gets triggered when importing pytest_multihost.transport. Relevant upstream issues: - https://github.com/paramiko/paramiko/issues/1069 - https://github.com/paramiko/paramiko/pull/861 A quick

[Freeipa-devel] Re: freeipa-master COPR: add certmonger-0.79.5

2017-09-24 Thread Fraser Tweedale via FreeIPA-devel
Thank you, Tomas! On Fri, Sep 22, 2017 at 11:27:34AM +0200, Tomas Krizek wrote: > On 09/21/2017 05:39 PM, Rob Crittenden via FreeIPA-devel wrote: > > Tomas Krizek via FreeIPA-devel wrote: > >> On 09/21/2017 02:32 AM, Fraser Tweedale via FreeIPA-devel wrote: > >>>

[Freeipa-devel] python3-pyldap python 3 bugs

2017-08-25 Thread Fraser Tweedale via FreeIPA-devel
Hi team, There are some bugs in python3-pyldap; the version in f25 and f26 is affected (not sure about f27/rawhide but the problems have been fixed upstream[1]). In FreeIPA the `json_metadata' command is affected (at least), which breaks the Web UI. If you hit this, here (below) is a patch you

[Freeipa-devel] Re: [BLOG/DESIGN] cert-request revocation changes

2018-05-13 Thread Fraser Tweedale via FreeIPA-devel
On Fri, May 11, 2018 at 01:52:57PM -0400, Rob Crittenden via FreeIPA-devel wrote: > Simo Sorce wrote: > > On Fri, 2018-05-11 at 15:47 +1000, Fraser Tweedale via FreeIPA-devel > > wrote: > > > Hi all, > > > > > > Ticket https://pagure.io/freeipa/issue/

[Freeipa-devel] [BLOG/DESIGN] cert-request revocation changes

2018-05-10 Thread Fraser Tweedale via FreeIPA-devel
Hi all, Ticket https://pagure.io/freeipa/issue/7482 made me think about the current revocation behaviour in `ipa cert-request`. For hosts and services, all old certificates get revoked. I wrote a blog post[1] outlining the problems with the current behaviour, and some suggested changes. I'd

[Freeipa-devel] New RFCs 8398 and 8399 update RFC 5280 (X.509)

2018-05-24 Thread Fraser Tweedale via FreeIPA-devel
Just a quick heads up that a couple of new RFCs[1][2] update RFC 5280 w.r.t. i18n support. [1] https://tools.ietf.org/html/rfc8398 [2] https://tools.ietf.org/html/rfc8399 The most notable change is a new otherName type to represent internationalised email addresses (i.e. when the local part is

[Freeipa-devel] [DESIGN] Certificate revocation behaviour standardisation

2018-06-04 Thread Fraser Tweedale via FreeIPA-devel
Hi all, Pursuant to recent discussions, here is a draft design[1] that formalises and (as of initial draft) proposes some changes to FreeIPA's certificate revocation behaviours. Nothing is set in stone. Every change is up for debate. There are some open questions (search for **TODO** and

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

2018-05-31 Thread Fraser Tweedale via FreeIPA-devel
On Thu, May 31, 2018 at 11:17:51AM -0400, Rob Crittenden via FreeIPA-devel wrote: > Standa Laznicka via FreeIPA-devel wrote: > > Hello people of the freeipa-devel channel, > > > > Let me share a design that proposes a way of automating the way FreeIPA > > replicas would be promoted to become a

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

2018-05-31 Thread Fraser Tweedale via FreeIPA-devel
On Thu, May 31, 2018 at 12:10:31PM +0200, Standa Laznicka via FreeIPA-devel wrote: > Hello people of the freeipa-devel channel, > > Let me share a design that proposes a way of automating the way FreeIPA > replicas would be promoted to become a CRL master. Since the > configuration cannot be

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

2018-05-31 Thread Fraser Tweedale via FreeIPA-devel
On Thu, May 31, 2018 at 10:10:07PM -0400, Rob Crittenden via FreeIPA-devel wrote: > Fraser Tweedale via FreeIPA-devel wrote: > > On Thu, May 31, 2018 at 11:17:51AM -0400, Rob Crittenden via FreeIPA-devel > > wrote: > >> Standa Laznicka via FreeIPA-devel wrote: > >

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

2018-06-05 Thread Fraser Tweedale via FreeIPA-devel
On Tue, Jun 05, 2018 at 09:51:08AM +0200, Florence Blanc-Renaud wrote: > On 06/01/2018 03:08 AM, Fraser Tweedale via FreeIPA-devel wrote: > > On Thu, May 31, 2018 at 12:10:31PM +0200, Standa Laznicka via FreeIPA-devel > > wrote: > > > Hello people of the freeipa-devel chan

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

2018-06-06 Thread Fraser Tweedale via FreeIPA-devel
> > On 06/05/2018 11:02 AM, Fraser Tweedale wrote: > > On Tue, Jun 05, 2018 at 09:51:08AM +0200, Florence Blanc-Renaud wrote: > >> On 06/01/2018 03:08 AM, Fraser Tweedale via FreeIPA-devel wrote: > >>> On Thu, May 31, 2018 at 12:10:31PM +0200, Standa Laznicka

[Freeipa-devel] Re: Candidate PRs to close

2018-05-03 Thread Fraser Tweedale via FreeIPA-devel
Thanks Rob, Comments inline. On Thu, May 03, 2018 at 02:59:02PM -0400, Rob Crittenden via FreeIPA-devel wrote: > There are a lot of old, outdated PRs. > > I think we need to close them and strive hard to keep the list of PRs very > low so for this round, against my usual instincts, I propose

[Freeipa-devel] Re: IP addresses in Subject Alt Name

2018-02-18 Thread Fraser Tweedale via FreeIPA-devel
On Fri, Feb 16, 2018 at 12:51:41PM -0600, Ian Pilcher via FreeIPA-devel wrote: > I have an older NETGEAR switch that has annoying habit of using its IP > address in URLs that it sends back to the browser. The result can be > seen here: > > https://www.penurio.us/oops.png > > I would like to

[Freeipa-devel] Re: IP addresses in Subject Alt Name

2018-03-11 Thread Fraser Tweedale via FreeIPA-devel
Thanks Ian! I'll try and review this in the next couple of days? Do you use GitHub? If so, you could create a pull request there, which will make it more visible, easier to review, and cause CI to run on your patch. If not, that's OK. We are happy to receive your contribution by any means!

[Freeipa-devel] Re: Contribute/Code wiki page update

2018-03-12 Thread Fraser Tweedale via FreeIPA-devel
On Mon, Mar 12, 2018 at 10:11:24AM +0100, Florence Blanc-Renaud via FreeIPA-devel wrote: > Hi all, > > I recently updated the Contribute/Code wiki page > (https://www.freeipa.org/page/Contribute/Code), especially the sections > related to Code Review Process. > > As developers, we often prefer

[Freeipa-devel] Re: IP addresses in Subject Alt Name

2018-03-14 Thread Fraser Tweedale via FreeIPA-devel
On Wed, Mar 14, 2018 at 09:11:20AM -0500, Ian Pilcher via FreeIPA-devel wrote: > On 03/11/2018 09:31 PM, Fraser Tweedale wrote: > > Thanks Ian! I'll try and review this in the next couple of days? > > No rush. I'm traveling this week, so I won't be to do anything with > this anyway. > > > Do