Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

2014-10-10 Thread Martin Kosek 

On 10/09/2014 03:56 PM, David Kupka wrote:

On 10/08/2014 01:23 PM, Jan Cholasta wrote:

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619.

Honza


Forgot to delete a line in dogtaginstance.py (thanks to David for
noticing). Updated patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Works for me, ACK.



Thanks, pushed to master.

Just to double check - no parts of the fixes should be applied to 4.1 or 4.0 
branches, is that correct?


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

2014-10-10 Thread David Kupka 

On 10/10/2014 08:50 AM, Martin Kosek wrote:

On 10/09/2014 03:56 PM, David Kupka wrote:

On 10/08/2014 01:23 PM, Jan Cholasta wrote:

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):

Hi,

the attached patch fixes
https://fedorahosted.org/freeipa/ticket/4619.

Honza


Forgot to delete a line in dogtaginstance.py (thanks to David for
noticing). Updated patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Works for me, ACK.



Thanks, pushed to master.

Just to double check - no parts of the fixes should be applied to 4.1 or
4.0 branches, is that correct?

Martin


I've never seen or been able to reproduce this bug other than on master 
branch. AFAIK, the issue was caused by KRA patches that are only in master.

--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

2014-10-10 Thread Jan Cholasta 

Dne 10.10.2014 v 08:55 David Kupka napsal(a):

On 10/10/2014 08:50 AM, Martin Kosek wrote:

On 10/09/2014 03:56 PM, David Kupka wrote:

On 10/08/2014 01:23 PM, Jan Cholasta wrote:

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):

Hi,

the attached patch fixes
https://fedorahosted.org/freeipa/ticket/4619.

Honza


Forgot to delete a line in dogtaginstance.py (thanks to David for
noticing). Updated patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Works for me, ACK.



Thanks, pushed to master.

Just to double check - no parts of the fixes should be applied to 4.1 or
4.0 branches, is that correct?

Martin


I've never seen or been able to reproduce this bug other than on master
branch. AFAIK, the issue was caused by KRA patches that are only in master.


The patch is master only and applies on top of the KRA changes.

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

2014-10-09 Thread David Kupka 

On 10/08/2014 01:23 PM, Jan Cholasta wrote:

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619.

Honza


Forgot to delete a line in dogtaginstance.py (thanks to David for
noticing). Updated patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Works for me, ACK.

--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

2014-10-08 Thread Jan Cholasta 

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619.

Honza


Forgot to delete a line in dogtaginstance.py (thanks to David for 
noticing). Updated patch attached.


--
Jan Cholasta
From f2edb5ddf291d1f14c13e155412f5154d491c84e Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 16:46:15 +0200
Subject: [PATCH] Fix certmonger configuration in installer code

https://fedorahosted.org/freeipa/ticket/4619
---
 install/tools/ipa-server-install |  5 +--
 install/tools/ipa-upgradeconfig  |  2 +-
 ipaserver/install/cainstance.py  | 87 +---
 ipaserver/install/dogtaginstance.py  | 77 ++-
 ipaserver/install/ipa_kra_install.py |  2 +-
 ipaserver/install/krainstance.py |  9 ++--
 6 files changed, 78 insertions(+), 104 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 89d7330..f394f1e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -561,14 +561,13 @@ def uninstall():
 
 kra_instance = krainstance.KRAInstance(
 api.env.realm, dogtag_constants=dogtag_constants)
-kra_instance.stop_tracking_certificates(dogtag_constants)
+kra_instance.stop_tracking_certificates()
 if kra_instance.is_installed():
 kra_instance.uninstall()
 
 ca_instance = cainstance.CAInstance(
 api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
-ca_instance.stop_tracking_certificates(dogtag_constants)
-ca_instance.stop_tracking_agent_certificate(dogtag_constants)
+ca_instance.stop_tracking_certificates()
 if ca_instance.is_configured():
 ca_instance.uninstall()
 
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb5..339dcb9 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -727,7 +727,7 @@ def certificate_renewal_update(ca):
 
 # Ok, now we need to stop tracking, then we can start tracking them
 # again with new configuration:
-ca.stop_tracking_certificates(dogtag_constants)
+ca.stop_tracking_certificates()
 
 if not sysupgrade.get_upgrade_state('dogtag',
 'certificate_renewal_update_1'):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3a296f5..cbb9e2c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -330,6 +330,12 @@ class CAInstance(DogtagInstance):
2 = have signed cert, continue installation
 
 
+tracking_reqs = (('auditSigningCert cert-pki-ca', None),
+ ('ocspSigningCert cert-pki-ca', None),
+ ('subsystemCert cert-pki-ca', None),
+ ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
+server_cert_name = 'Server-Cert cert-pki-ca'
+
 def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
  host_name=None, dm_password=None, ldapi=True):
 if dogtag_constants is None:
@@ -363,11 +369,6 @@ class CAInstance(DogtagInstance):
 self.ra_agent_pwd = None
 self.ra_cert = None
 self.requestId = None
-self.tracking_reqs = (('Server-Cert cert-pki-ca', None),
-  ('auditSigningCert cert-pki-ca', None),
-  ('ocspSigningCert cert-pki-ca', None),
-  ('subsystemCert cert-pki-ca', None),
-  ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
 self.log = log_mgr.get_logger(self)
 
 def configure_instance(self, host_name, domain, dm_password,
@@ -452,7 +453,7 @@ class CAInstance(DogtagInstance):
 self.step(issuing RA agent certificate, self.__issue_ra_cert)
 self.step(adding RA agent as a trusted user, self.__configure_ra)
 self.step(configure certmonger for renewals, self.configure_certmonger_renewal)
-self.step(configure certificate renewals, self.configure_cert_renewal)
+self.step(configure certificate renewals, self.configure_renewal)
 if not self.clone:
 self.step(configure RA certificate renewal, self.configure_agent_renewal)
 self.step(configure Server-Cert certificate renewal, self.track_servercert)
@@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance):
 fd.close()
 os.chmod(location, 0444)
 
-@staticmethod
-def configure_certmonger_renewal():
-
-Create a new CA type for certmonger that will retrieve updated
-certificates from the dogtag master server.
-
-services.knownservices.messagebus.start()
-cmonger = services.knownservices.certmonger
-cmonger.enable()
-cmonger.start()
-
-bus = dbus.SystemBus()
-obj =