Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport][ipa-4-6] Making ipa-ca-install more resilient #1382

Closed
wants to merge 4 commits into from
Closed

[Backport][ipa-4-6] Making ipa-ca-install more resilient #1382

wants to merge 4 commits into from

Conversation

tiran
Copy link
Member

@tiran tiran commented Dec 11, 2017
edited

This PR was opened automatically because PR #1232 was pushed to master and backport to ipa-4-6 is required.

@frasertweedale @tiran
CertUpdate: make it easy to invoke from other programs
11251a3 
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install).  Refactor
ipa_certupdate.CertUpdate to make it easy to do that.  In
particular, make it possible to use an already-initialised API
object.

Part of: https://pagure.io/freeipa/issue/6577
@frasertweedale @tiran
ipa-ca-install: run certupdate as initial step
3c6001a 
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
@frasertweedale @tiran
Run certupdate after promoting to CA-ful deployment
af76b0d 
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
@frasertweedale @tiran
ipa_certupdate: avoid classmethod and staticmethod
fe356fb 
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577
@tiran
Copy link
Member Author

tiran commented Dec 11, 2017

PR was ACKed automatically because this is backport of PR #1232. Wait for CI to finish before pushing. In case of questions or problems contact @frasertweedale who is author of the original PR.

@tiran tiran added the ack Pull Request approved, can be merged label Dec 11, 2017
@tiran
Copy link
Member Author

tiran commented Dec 11, 2017

ipa-4-6:

  • 75e4cf1 CertUpdate: make it easy to invoke from other programs
  • 75a3ede ipa-ca-install: run certupdate as initial step
  • cd4d9cc Run certupdate after promoting to CA-ful deployment
  • 5eab20e ipa_certupdate: avoid classmethod and staticmethod

@tiran tiran added the pushed Pull Request has already been pushed label Dec 11, 2017
@tiran tiran closed this Dec 11, 2017
@tiran tiran deleted the backport_pr1232_ipa-4-6 branch March 29, 2019 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@tiran @frasertweedale