Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.6] Backport 7151 #1159

Closed
wants to merge 2 commits into from
Closed

[4.6] Backport 7151 #1159

wants to merge 2 commits into from

Conversation

flo-renaud
Copy link
Contributor

@flo-renaud flo-renaud commented Oct 17, 2017
edited

ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.

The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.

https://pagure.io/freeipa/issue/7151

@flo-renaud
ipa-server-upgrade: fix the logic for tracking certs
bfbfb3b 
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.

The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.

https://pagure.io/freeipa/issue/7151
@flo-renaud
ipa-server-upgrade: do not add untracked certs to the request list
f413b23 
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.

https://pagure.io/freeipa/issue/7151
@stlaz stlaz changed the title Backport 7151 [4.6] Backport 7151 Oct 17, 2017
@stlaz
Copy link
Contributor

stlaz commented Oct 17, 2017

ACK based on a previous ACK.

@stlaz stlaz added the ack Pull Request approved, can be merged label Oct 17, 2017
@flo-renaud
Copy link
Contributor Author

ipa-4-6:

  • b70e1f5 ipa-server-upgrade: fix the logic for tracking certs
  • ef6aa67 ipa-server-upgrade: do not add untracked certs to the request list

@flo-renaud flo-renaud added the pushed Pull Request has already been pushed label Oct 17, 2017
@flo-renaud flo-renaud closed this Oct 17, 2017
@flo-renaud flo-renaud deleted the backport-7151 branch October 18, 2017 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@flo-renaud @stlaz