#7885 RFE: wrapper for Dogtag cert-fix command
Closed: fixed 2 months ago by ftweedal. Opened 4 months ago by ftweedal.

RFE: implement a wrapper for the Dogtag offline renewal tool
(https://pagure.io/dogtagpki/issue/2776) that handles IPA-specific certificates and scenarios.

In particular:

  • Identify IPA-specific certificates that need renewal
  • Run pki-server cert-fix with appropriate arguments
  • Copy IPA-related renewed certificates to correct locations (files, NSSDBs, LDAP)
  • Become the renewal master if "shared" certificates were renewed.

ipa-4-6:

  • 0a54a4c Extract ca_renewal cert update subroutine
  • 4f42ba8 cainstance: add function to determine ca_renewal nickname
  • 01a487e constants: add ca_renewal container
  • a2f9a70 Add ipa-cert-fix tool
  • d0b9507 ipa-cert-fix: add man page
  • e313149 ipa-cert-fix: use customary exit statuses

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1690191

4 months ago

I'm looking to get the Dogtag cert-fix enhancements merged into master and the 10.6 branch, before doing the forward port of ipa-cert-fix to IPA master and ipa-4-7. (A bit hard for folks to test otherwise).

The Dogtag PR for master is here: https://github.com/dogtagpki/pki/pull/182. 10.6 branch will follow merge to master.

10.6 PR here: https://github.com/dogtagpki/pki/pull/181. The forward-port is still blocked on an upstream Dogtag release that contains pki-server cert-fix with required features.

master:

  • a2a006c Extract ca_renewal cert update subroutine
  • c28a42e cainstance: add function to determine ca_renewal nickname
  • a3becc7 constants: add ca_renewal container
  • 09aa3d1 Add ipa-cert-fix tool
  • a9f09fe ipa-cert-fix: add man page
  • e41b745 ipa-cert-fix: use customary exit statuses
  • 7202722 require Dogtag 10.7.0-1
  • 582cc7d ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 162dce1 ipa-cert-fix: fix spurious renewal master change
  • f30f040 (HEAD) avoid realm_to_serverid deprecation warning

ipa-4-6:

  • 1ee6bb2 ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 4c25a83 (HEAD) ipa-cert-fix: fix spurious renewal master change

ipa-4-7:

  • 74677ec Extract ca_renewal cert update subroutine
  • 9e514b5 cainstance: add function to determine ca_renewal nickname
  • 2affa46 constants: add ca_renewal container
  • 016e668 Add ipa-cert-fix tool
  • 71de231 ipa-cert-fix: add man page
  • 9b9d0c4 ipa-cert-fix: use customary exit statuses
  • 4683c6b require Dogtag 10.7.0-1
  • 392c99e ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 266746f (HEAD) ipa-cert-fix: fix spurious renewal master change

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata