Re: [Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-14 Thread Martin Basti 



On 14.12.2015 11:46, David Kupka wrote:

On 14/12/15 11:00, David Kupka wrote:

On 10/12/15 19:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5512

patch attached.



Hi,
thanks for the patch. It works but only when WAIT_AFTER_ARCHIVE is 
raised.

Patch attached.
IOW, your patch works for me, ACK. To let tests pass (and eventually 
fall on other issue when it appears) please include my patch.



Pushed to master: bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f

I also pushed your workaround for tests.
Pushed to:
master: 8112ac69ccf56dd98c5eb6e77ea131b4665bd1cf
ipa-4-2: ac0999ede0d665dee75446f660301fd53e69177b

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-14 Thread David Kupka 

On 14/12/15 11:00, David Kupka wrote:

On 10/12/15 19:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5512

patch attached.



Hi,
thanks for the patch. It works but only when WAIT_AFTER_ARCHIVE is raised.
Patch attached.
IOW, your patch works for me, ACK. To let tests pass (and eventually 
fall on other issue when it appears) please include my patch.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-14 Thread David Kupka 

On 10/12/15 19:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5512

patch attached.



Hi,
thanks for the patch. It works but only when WAIT_AFTER_ARCHIVE is raised.
Patch attached.
--
David Kupka
From a209343652b8bedfcbca83c7eafc699e72c0a261 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 14 Dec 2015 10:52:44 +0100
Subject: [PATCH] test: Temporarily increase timeout in vault test.

Remove this change when vault is fixed.
---
 ipatests/test_integration/test_vault.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
index 74b554eb283278940e6ed0a93596ed194eadadcb..3b717c9cdfda30dd230d31730328cd3aa4cbdd49 100644
--- a/ipatests/test_integration/test_vault.py
+++ b/ipatests/test_integration/test_vault.py
@@ -7,7 +7,7 @@ import time
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
 
-WAIT_AFTER_ARCHIVE = 30  # give some time to replication
+WAIT_AFTER_ARCHIVE = 90  # give some time to replication
 
 
 class TestInstallKRA(IntegrationTest):
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-10 Thread Martin Basti 

https://fedorahosted.org/freeipa/ticket/5512

patch attached.
From 75b69aee3e3911cdf66c0d6dd40c49fd0da61492 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 10 Dec 2015 13:46:07 +0100
Subject: [PATCH] Install RA cert during replica promotion

This cert is needed with KRA to be able store and retrieve secrets.

https://fedorahosted.org/freeipa/ticket/5512
---
 ipaserver/install/cainstance.py| 4 
 ipaserver/install/server/replicainstall.py | 8 
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 56ec3fe74e8d4adfe17f46a62f705021f6a81f75..99582b5e0d33afc1c97a8e5067a3a10498651869 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1335,12 +1335,8 @@ class CAInstance(DogtagInstance):
 self.step("setting audit signing renewal to 2 years",
   self.set_audit_renewal)
 
-self.step("configure certmonger for renewals",
-  self.configure_certmonger_renewal)
 self.step("configure certificate renewals",
   self.configure_renewal)
-self.step("configure RA certificate renewal",
-  self.configure_agent_renewal)
 self.step("configure Server-Cert certificate renewal",
   self.track_servercert)
 self.step("Configure HTTP to proxy connections",
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4f239aacd50ab8692830a6f4505c66ba9b1518b2..bd2de16fc4a0ff5a050eebd942682e13de0b1583 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1282,6 +1282,14 @@ def promote(installer):
  installer._ca_enabled)
 custodia.create_replica(config.master_host_name)
 
+if installer._ca_enabled:
+CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
+
+CA.configure_certmonger_renewal()
+CA.configure_agent_renewal()
+cainstance.export_kra_agent_pem()
+CA.fix_ra_perms()
+
 krb = install_krb(config,
   setup_pkinit=not options.no_pkinit,
   promote=True)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code