We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Here's the Weekly Digest for SilleBille/pki:
Last week, no issues were created.
Last week, 2 pull requests were created, updated or merged.
Last week, 2 pull requests were updated. 💛 #76 Introducing error, by SilleBille 💛 #71 Adding pylint error to test TravisBuddy, by SilleBille
Last week there were 16 commits. 🛠️ Fix pylint issue in healthcheck This patch fixes the pylint issue caught in our CI. This is a regression of change introduced in freeipa-healthcheck: https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4 Signed-off-by: Dinesh Prasanth M K dmoluguw@redhat.com by SilleBille 🛠️ Support exporting CA certificate from HSM installs When installing an installation with subsystem SSL certificate residing on the HSM, export will fail because the NSS DB isn't opened with the specified HSM token. When the subsystem SSL certificate resides on the HSM, when we go to export the CA certificate, we must explicitly specify this token. Otherwise, subsystem startup will fail with an error like: systemd[1]: Starting PKI Tomcat Server topology-02-CA... pki-server[72759]: Enter password for NHSM6000-OCS pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA systemd[1]: pki-tomcatd@topology-02-CA.service: Control process exited, code=exited status=255 systemd[1]: pki-tomcatd@topology-02-CA.service: Failed with result 'exit-code'. This is related to the earlier PR enforcing certificate verification in PKIConnection, pr-#443. Resolves: rh-bz#1857933 Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy 🛠️ Fix HTTP Request formatting in AdminConnection AdminConnection's processRequest method creates a hand-rolled HTTP request to the remote server. This is used by PKI Console when authenticated as an administrator. Because of the recent CVE fix in Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed) terminated requests and headers, and instead reject them as a bad request. We fix this by adding the missing and required CR, per HTTP specification. This fixes the following exception in PKIConsole: java.io.IOException: 400 at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646) at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128) Signed-off-by: Alexander Scheel ascheel@redhat.com by csutherl 🛠️ Simplified ACME LDAP database parameters The LDAPDatabase parameters have been simplified: - basedn -> baseDN - internaldb.ldapconn.host,port,secureConn -> url - internaldb.ldapauth.authtype -> authType - internaldb.ldapauth.bindDN -> bindDN - internaldb.ldapauth.clientCertNickname -> nickname - password.internaldb -> bindPassword The old basedn parameter will continue to work but it has been deprecated. The internaldb.ldapauth.bindPWPrompt is no longer used so it has been removed. by edewata 🛠️ Fixed JAVA_OPTS parsing in PKISubsystem.run() The PKISubsystem.run() parses JAVA_OPTS into a list of strings and uses it as Java arguments. In some cases the list might contain empty strings which can cause problems. The code has been modified to remove empty strings from the list. by edewata 🛠️ Support JDK8 and JDK11 RPM builds Fedora 33 is moving to Java 11 as the default JDK version: https://fedoraproject.org/wiki/Changes/Java11 This will make JDK11 the default JDK in this release of Fedora. We need to support a generic JAVA_HOME based on OpenJDK, so move to /usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided, regardless of whether or not the JDK or JRE is installed. Additionally, we set the minimum Java version based on what is available on the system. Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy 🛠️ Added runtime dependency on systemd The pki-server package has been modified to explicitly require systemd as runtime dependency since systemd is no longer part of Fedora container image: https://docs.fedoraproject.org/en-US/minimization/ by edewata 🛠️ Added default ACME metadata.conf The ACMEEngine and pki-server acme-metadata commands have been modified to use the shared metadata.conf by default. by edewata 🛠️ Fixed pki-server acme-metadata/database/issuer-mod commands The pki-server acme-metadata/database/issuer-mod commands have been modified to use PKIServer.store_properties() instead of pki.util.store_properties() to ensure the file permission is set correctly. by edewata 🛠️ Fix build with CMake out-of-source build change Fedora 33 has introduced the following change proposal: https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds This makes CMake do out-of-source builds by default. However, Fedora has opted to use the %{_vpath_builddir} macro as the location of the default build directory, instead of the more standard (in the CMake community) build/ directory. %{_vpath_builddir} expands to %{_target_platform}, giving a per-architecture build directory. Replace build/ references with %{_vpath_builddir} in the RPM spec. In the future, we could move %{__make} to %cmake_build instead. Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy 🛠️ Refactored ACMEEngine.loadEngineConfig() The ACMEEngine.loadEngineConfig() has been converted into initMonitors(). by edewata 🛠️ Refactored ACMEEngine.loadSchedulerConfig() The ACMEEngine.loadSchedulerConfig() has been merged into initScheduler(). by edewata 🛠️ Refactored ACMEEngine.loadIssuerConfig() The ACMEEngine.loadIssuerConfig() has been merged into initIssuer(). by edewata 🛠️ Refactored ACMEEngine.loadValidatorsConfig() The ACMEEngine.loadValidatorsConfig() has been merged into initValidators(). by edewata 🛠️ Refactored ACMEEngine.loadDatabaseConfig() The ACMEEngine.loadDatabaseConfig() has been merged into initDatabase(). by edewata 🛠️ Refactored ACMEEngine.loadMetadata() The ACMEEngine.loadMetadata() has been renamed into initMetadata(). by edewata
Last week there were 4 contributors. 👤 SilleBille 👤 cipherboy 👤 csutherl 👤 edewata
Last week there were no stargazers.
Last week there were no releases.
That's all for last week, please 👀 Watch and ⭐ Star the repository SilleBille/pki to receive next weekly updates. 😃
You can also view all Weekly Digests by clicking here.
Your Weekly Digest bot. 📆
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Here's the Weekly Digest for SilleBille/pki:
ISSUES
Last week, no issues were created.
PULL REQUESTS
Last week, 2 pull requests were created, updated or merged.
UPDATED PULL REQUEST
Last week, 2 pull requests were updated.
💛 #76 Introducing error, by SilleBille
💛 #71 Adding pylint error to test TravisBuddy, by SilleBille
COMMITS
Last week there were 16 commits.
🛠️ Fix pylint issue in healthcheck This patch fixes the pylint issue caught in our CI. This is a regression of change introduced in freeipa-healthcheck: https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4 Signed-off-by: Dinesh Prasanth M K dmoluguw@redhat.com by SilleBille
🛠️ Support exporting CA certificate from HSM installs When installing an installation with subsystem SSL certificate residing on the HSM, export will fail because the NSS DB isn't opened with the specified HSM token. When the subsystem SSL certificate resides on the HSM, when we go to export the CA certificate, we must explicitly specify this token. Otherwise, subsystem startup will fail with an error like: systemd[1]: Starting PKI Tomcat Server topology-02-CA... pki-server[72759]: Enter password for NHSM6000-OCS pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA systemd[1]: pki-tomcatd@topology-02-CA.service: Control process exited, code=exited status=255 systemd[1]: pki-tomcatd@topology-02-CA.service: Failed with result 'exit-code'. This is related to the earlier PR enforcing certificate verification in PKIConnection, pr-#443. Resolves: rh-bz#1857933 Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy
🛠️ Fix HTTP Request formatting in AdminConnection AdminConnection's processRequest method creates a hand-rolled HTTP request to the remote server. This is used by PKI Console when authenticated as an administrator. Because of the recent CVE fix in Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed) terminated requests and headers, and instead reject them as a bad request. We fix this by adding the missing and required CR, per HTTP specification. This fixes the following exception in PKIConsole: java.io.IOException: 400 at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646) at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128) Signed-off-by: Alexander Scheel ascheel@redhat.com by csutherl
🛠️ Simplified ACME LDAP database parameters The LDAPDatabase parameters have been simplified: - basedn -> baseDN - internaldb.ldapconn.host,port,secureConn -> url - internaldb.ldapauth.authtype -> authType - internaldb.ldapauth.bindDN -> bindDN - internaldb.ldapauth.clientCertNickname -> nickname - password.internaldb -> bindPassword The old basedn parameter will continue to work but it has been deprecated. The internaldb.ldapauth.bindPWPrompt is no longer used so it has been removed. by edewata
🛠️ Fixed JAVA_OPTS parsing in PKISubsystem.run() The PKISubsystem.run() parses JAVA_OPTS into a list of strings and uses it as Java arguments. In some cases the list might contain empty strings which can cause problems. The code has been modified to remove empty strings from the list. by edewata
🛠️ Support JDK8 and JDK11 RPM builds Fedora 33 is moving to Java 11 as the default JDK version: https://fedoraproject.org/wiki/Changes/Java11 This will make JDK11 the default JDK in this release of Fedora. We need to support a generic JAVA_HOME based on OpenJDK, so move to /usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided, regardless of whether or not the JDK or JRE is installed. Additionally, we set the minimum Java version based on what is available on the system. Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy
🛠️ Added runtime dependency on systemd The pki-server package has been modified to explicitly require systemd as runtime dependency since systemd is no longer part of Fedora container image: https://docs.fedoraproject.org/en-US/minimization/ by edewata
🛠️ Added default ACME metadata.conf The ACMEEngine and pki-server acme-metadata commands have been modified to use the shared metadata.conf by default. by edewata
🛠️ Fixed pki-server acme-metadata/database/issuer-mod commands The pki-server acme-metadata/database/issuer-mod commands have been modified to use PKIServer.store_properties() instead of pki.util.store_properties() to ensure the file permission is set correctly. by edewata
🛠️ Fix build with CMake out-of-source build change Fedora 33 has introduced the following change proposal: https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds This makes CMake do out-of-source builds by default. However, Fedora has opted to use the %{_vpath_builddir} macro as the location of the default build directory, instead of the more standard (in the CMake community) build/ directory. %{_vpath_builddir} expands to %{_target_platform}, giving a per-architecture build directory. Replace build/ references with %{_vpath_builddir} in the RPM spec. In the future, we could move %{__make} to %cmake_build instead. Signed-off-by: Alexander Scheel ascheel@redhat.com by cipherboy
🛠️ Refactored ACMEEngine.loadEngineConfig() The ACMEEngine.loadEngineConfig() has been converted into initMonitors(). by edewata
🛠️ Refactored ACMEEngine.loadSchedulerConfig() The ACMEEngine.loadSchedulerConfig() has been merged into initScheduler(). by edewata
🛠️ Refactored ACMEEngine.loadIssuerConfig() The ACMEEngine.loadIssuerConfig() has been merged into initIssuer(). by edewata
🛠️ Refactored ACMEEngine.loadValidatorsConfig() The ACMEEngine.loadValidatorsConfig() has been merged into initValidators(). by edewata
🛠️ Refactored ACMEEngine.loadDatabaseConfig() The ACMEEngine.loadDatabaseConfig() has been merged into initDatabase(). by edewata
🛠️ Refactored ACMEEngine.loadMetadata() The ACMEEngine.loadMetadata() has been renamed into initMetadata(). by edewata
CONTRIBUTORS
Last week there were 4 contributors.
👤 SilleBille
👤 cipherboy
👤 csutherl
👤 edewata
STARGAZERS
Last week there were no stargazers.
RELEASES
Last week there were no releases.
That's all for last week, please 👀 Watch and ⭐ Star the repository SilleBille/pki to receive next weekly updates. 😃
You can also view all Weekly Digests by clicking here.
The text was updated successfully, but these errors were encountered: