New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkispawn from master branch creates orphan key in /etc/pki/pki-tomcat/alias #4103
Comments
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 22, 2022
In the past pkispawn used the same nickname for the temporary and the permanent SSL server certs. Initially it would create the temporary cert and the key, then it would create the permanent cert with the same key, then drop the temporary cert while keeping the key. Recently the code was changed to use separate nicknames to simplify installation which would generate separate keys too. It removed the temporary cert, but not the temporary key. Now the code has been updated to remove the temporary key as well. Some tests have been modified to check for orphaned keys after installation. Resolves: dogtagpki#4103
edewata
added a commit
that referenced
this issue
Nov 22, 2022
In the past pkispawn used the same nickname for the temporary and the permanent SSL server certs. Initially it would create the temporary cert and the key, then it would create the permanent cert with the same key, then drop the temporary cert while keeping the key. Recently the code was changed to use separate nicknames to simplify installation which would generate separate keys too. It removed the temporary cert, but not the temporary key. Now the code has been updated to remove the temporary key as well. Some tests have been modified to check for orphaned keys after installation. Resolves: #4103
@flo-renaud It should be fixed now. Could you give it a try? Thanks. |
@edewata I manually tried with 11.3.0-0.1.alpha1.20221122191406UTC.6abe6d11 and it looks good |
@flo-renaud Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
During IPA server installation, the pkispawn command creates an orphan key in /etc/pki/pki-tomcat/alias.
This happens with pki packages installed from the copr repo @pki/master (for instance
dogtag-pki-base-11.3.0-0.1.alpha1.20220816002107UTC.52585e78.fc36.noarch
).In order to reproduce:
# ipa-server-install --domain testrelm.test --realm TESTRELM.TEST -a Secret123 -p Secret123 -U
pkispawn is called with the following configuration file:
and with the following options:
args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmparm8sd8v', '--debug', '--log-file', '/var/log/pki/pki-ca-spawn.20220816144351.log']
Companion issue on IPA side: https://pagure.io/freeipa/issue/9223
The text was updated successfully, but these errors were encountered: