On 12.3.2014 19:59, Petr Viktorin wrote:
On 03/10/2014 01:03 PM, Jan Cholasta wrote:
On 17.10.2013 18:59, Jan Cholasta wrote:
On 17.10.2013 18:01, Petr Viktorin wrote:
On 10/17/2013 02:21 PM, Jan Cholasta wrote:
Hi,
this patchset contains refactoring of the certificate renewal code,
which will be the base for CA certificate renewal.
The biggest change is a new certmonger CA helper
dogtag-ipa-ca-renew-agent, which replaces
dogtag-ipa-retrieve-agent-submit as well as parts of certmonger
post-commands used in certificate renewal. It provides more
flexibility
when doing renewals and allows unified certmonger configuration on
both
CA master and clones.
How to test: Test both CA-ful and CA-less server and replica installs
and upgrades, check that certmonger is configured properly and
certificate renewal works (see
https://fedorahosted.org/freeipa/ticket/2803#comment:17 for details).
Certmonger is not configured/started in CA-less installs.
That's expected.
I tested fresh installs and upgrades; renewals work fine for me.
161-184 look OK
185: one more nitpick:
cert = entry['usercertificate'][0]
Shouldn't that use entry.single_value?
I did not feel like changing this, because this is used in the original
code and the userCertificate LDAP attribute is multi-value.
186-189 look OK
190: Is
fqdn = entries[0].dn[1].value
return api.env.host == fqdn
safe? Can they differ in case, for example?
I guess so, will fix.
191-196 look OK
Note that patches 178 & 179 were already pushed. Also, patch 190 was
changed to store information about which CA instance is master in LDAP.
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel