On Tue, 2013-04-09 at 16:02 +0200, Martin Kosek wrote: > On 04/08/2013 05:09 PM, Martin Kosek wrote: > > On 04/08/2013 03:47 PM, Dmitri Pal wrote: > >> On 04/08/2013 08:42 AM, Martin Kosek wrote: > >>> On 04/08/2013 10:48 AM, Jan Cholasta wrote: > >>>> On 8.4.2013 10:47, Jan Cholasta wrote: > >>>>> Hi, > >>>>> > >>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>. > >>>>> > >>>>> Honza > >>>>> > >>>> Re-sending with correct subject. > >>>> > >>> I tested the change both for upgrades and for fresh installs and it > >>> worked fine > >>> both cases, even when testing with Firefox enforcing mode. > >>> > >>> So far, as the biggest issue in current process I see NSS not being able > >>> to > >>> fallback to other defined OCSP responder (I tested with Firefox 20). This > >>> way, > >>> Firefox will fail validating the FreeIPA site when the first tested OCSP > >>> responder is not available (e.g. the original IPA CA signing the http > >>> cert, or > >>> an `ipa-ca.$domain` host that is currently not up). > >> > >> Have we filed a ticket with FF? > > > > AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open > > for NSS: > > https://bugzilla.mozilla.org/show_bug.cgi?id=797815 > > > > Rob seems to have more context about this bug background. > > > > Martin > > > > We may want to wait with pushing this patch until we get some response in the > NSS Bugzilla above. If our request is rejected, we may be forced to use just a > single CRL/OCSP (which would be probably the general one) and thus supersede > patch 123.
Well it will have to depend on when you create certs. The first IPA server own cert should probably point at the ipa server name. Then we should warn in bold letters that the user should create such and such a DNS name if they did not let IPA handle DNS. If we can handle DNS then any other use can refer to the common name which can be an A name with multiple entries (each IPA CA server should be listed there by default and the record should be changed at ca replicas install/decommission time, however we should allow admins to add/remove names as well manually in case they want to add proxies otr conceal some of the CA servers. We may also want to change the RA client code to use that record to fetch certs. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
