Jan Cholasta wrote: > On 2.7.2014 19:37, Jan Cholasta wrote: >> On 2.7.2014 19:08, Rob Crittenden wrote: >>> Trimming to respond to your questions. >>>>> Not sure if this is related: >>>>> # pki cert-find >>>>> PKIException: Internal Server Error >>> >>> I'm pretty sure the cert-find error is related to the fact that I had a >>> test build of dogtag installed, so that can be ignored. >> >> It does not work for me as well, with the current F20 dogtag packages, >> but like I said, it worked some time ago. > > Still haven't figured this out, unfortunately. > > Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA > certificates on master. > > Updated rebased patches attached. The correct order to apply is 295-294, > 303-305, 295-299. >
251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 640, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1046, in main dm_password, subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 489, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel