orion / freeipa

Forked from freeipa 5 years ago

74ebd0f Move CRL publish directory to IPA owned directory

Authored and Committed by mkosek 11 years ago
    Move CRL publish directory to IPA owned directory
    Currently, CRL files are being exported to /var/lib/pki-ca
    sub-directory, which is then served by httpd to clients. However,
    this approach has several disadvantages:
     * We depend on pki-ca directory structure and relevant permissions.
       If pki-ca changes directory structure or permissions on upgrade,
       IPA may break. This is also a root cause of the latest error, where
       the pki-ca directory does not have X permission for others and CRL
       publishing by httpd breaks.
     * Since the directory is not static and is generated during
       ipa-server-install, RPM upgrade of IPA packages report errors when
       defining SELinux policy for these directories.
    Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
    both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
    configuration does not report any error. The new CRL publish directory
    is used for both new IPA installs and upgrades, where contents of
    the directory (CRLs) is first migrated to the new location and then the
    actual configuration change is made.
file modified
+6 -0
file modified
+3 -0
file modified
+1 -1
file modified
+93 -10
file modified
+2 -2