On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > On 28/05/15 11:48, Martin Basti wrote: > >On 27/05/15 16:04, Fraser Tweedale wrote: > >>Hello all, > >> > >>Fresh certificate management patchset; Changelog: > >> > >>- Now depends on patch freeipa-ftweedal-0014 for correct > >>cert-request behaviour with host and service principals. > >> > >>- Updated Dogtag dependency to 10.2.4-1. Should should be in > >>f22 soon, but for f22 right now or for f21, please grab from my > >>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ > >> > >> Martin^1 could you please add to the quasi-official freeipa > >> copr? SRPM lives at > >> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm. > >> > >>- cert-request now verifies that for user principals, CSR CN > >>matches uid and, DN emailAddress and SAN rfc822Name match user's > >>email address, if either of those is present. > >> > >>- Fixed one or two other sneaky little bugs. > >> > >>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote: > >>>Hi all, > >>> > >>>Please find attached the latest certificate management > >>>patchset, which introduces the `caacl' plugin and various fixes > >>>and improvement to earlier patches. > >>> > >>>One important change to earlier patches is reverting the name > >>>of the default profile to 'caIPAserviceCert' and using the > >>>existing instance of this profile on upgrade (but not install) > >>>in case it has been modified. > >>> > >>>Other notes: > >>> > >>>- Still have changes in ipa-server-install (fewer lines now, > >>>though) > >>> > >>>- Still have the ugly import hack. It is not a high priority > >>>for me, i.e. I think it should wait until after alpha > >>> > >>>- Still need to update 'service' and 'host' plugins to support > >>>multiple certificates. (The userCertificate attribute schema > >>>itself is multi-valued, so there are no schema issues here) > >>> > >>>- The TODOs in [1]; mostly certprofile CLI conveniences and > >>>supporting multiple profiles for hosts and services (which > >>>requires changes to framework only, not schema). [1]: > >>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress > >>> > >>>Happy reviewing! I am pleased with the initial cut of the > >>>caacl plugin but I'm sure you will find some things to be fixed > >>>:) > >>> > >>>Cheers, Fraser > > > >[root@vm-093 ~]# ipa-replica-prepare vm-094.example.com > >--ip-address 10.34.78.94 Directory Manager (existing master) > >password: > > > >Preparing replica for vm-094.example.com from vm-093.example.com > >Creating SSL certificate for the Directory Server not well-formed > >(invalid token): line 2, column 14 > > > >I cannot create replica file. It work on the upgraded server, > >but it doesn't work on the newly installed server. I'm not sure > >if this causes your patches which modifies the ca-installer, or > >the newer version of dogtag. > > > >Or if there was any other changes in master, I will continue to > >investigate with new RPM from master branch. > > > >Martin^2 > > > ipa-replica-prepare works for: * master branch * master branch + > pki-ca 10.2.4-1 > > So something in your patches is breaking it > > Martin^2 > Martin, master + my patches with pki 10.2.4-1 is working for me on f21 and f22. Can you provide ipa-replica-prepare --debug output and Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug )
Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code