#7885 RFE: wrapper for Dogtag cert-fix command
Closed: fixed 4 years ago by ftweedal. Opened 4 years ago by ftweedal.

RFE: implement a wrapper for the Dogtag offline renewal tool
(https://pagure.io/dogtagpki/issue/2776) that handles IPA-specific certificates and scenarios.

In particular:

  • Identify IPA-specific certificates that need renewal
  • Run pki-server cert-fix with appropriate arguments
  • Copy IPA-related renewed certificates to correct locations (files, NSSDBs, LDAP)
  • Become the renewal master if "shared" certificates were renewed.

ipa-4-6:

  • 0a54a4c Extract ca_renewal cert update subroutine
  • 4f42ba8 cainstance: add function to determine ca_renewal nickname
  • 01a487e constants: add ca_renewal container
  • a2f9a70 Add ipa-cert-fix tool
  • d0b9507 ipa-cert-fix: add man page
  • e313149 ipa-cert-fix: use customary exit statuses

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1690191

4 years ago

I'm looking to get the Dogtag cert-fix enhancements merged into master and the 10.6 branch, before doing the forward port of ipa-cert-fix to IPA master and ipa-4-7. (A bit hard for folks to test otherwise).

The Dogtag PR for master is here: https://github.com/dogtagpki/pki/pull/182. 10.6 branch will follow merge to master.

10.6 PR here: https://github.com/dogtagpki/pki/pull/181. The forward-port is still blocked on an upstream Dogtag release that contains pki-server cert-fix with required features.

master:

  • a2a006c Extract ca_renewal cert update subroutine
  • c28a42e cainstance: add function to determine ca_renewal nickname
  • a3becc7 constants: add ca_renewal container
  • 09aa3d1 Add ipa-cert-fix tool
  • a9f09fe ipa-cert-fix: add man page
  • e41b745 ipa-cert-fix: use customary exit statuses
  • 7202722 require Dogtag 10.7.0-1
  • 582cc7d ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 162dce1 ipa-cert-fix: fix spurious renewal master change
  • f30f040 (HEAD) avoid realm_to_serverid deprecation warning

ipa-4-6:

  • 1ee6bb2 ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 4c25a83 (HEAD) ipa-cert-fix: fix spurious renewal master change

ipa-4-7:

  • 74677ec Extract ca_renewal cert update subroutine
  • 9e514b5 cainstance: add function to determine ca_renewal nickname
  • 2affa46 constants: add ca_renewal container
  • 016e668 Add ipa-cert-fix tool
  • 71de231 ipa-cert-fix: add man page
  • 9b9d0c4 ipa-cert-fix: use customary exit statuses
  • 4683c6b require Dogtag 10.7.0-1
  • 392c99e ipa-cert-fix: handle 'pki-server cert-fix' failure
  • 266746f (HEAD) ipa-cert-fix: fix spurious renewal master change

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

master:

  • f49c7da ipatests: Test if ipa-cert-fix renews expired certs
  • f7ef6d5 Move fixture outside the class and add setup_kra capability
  • 0904bb2 ipatests: Test if ipa-cert-fix renews expired certs with kra installed
  • 1197e2e ipatests: update nightly definition for ipa_cert_fix suite

ipa-4-9:

  • 7f30ddb ipatests: Test if ipa-cert-fix renews expired certs
  • 36a60db Move fixture outside the class and add setup_kra capability
  • c84e054 ipatests: Test if ipa-cert-fix renews expired certs with kra installed
  • 260fbcb ipatests: update nightly definition for ipa_cert_fix suite

master:

  • 99e7ad0 ipatests: test to renew certs on replica using ipa-cert-fix

ipa-4-9:

  • e0aef52 ipatests: test to renew certs on replica using ipa-cert-fix
  • a620e5e ipatests: wait while http/ldap/pkinit cert get renew on replica
  • 1b38afc ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
  • 4a3a15f ipatests: refactor test_ipa_cert_fix with tasks

master:

  • 50c6359 ipatests: wait while http/ldap/pkinit cert get renew on replica
  • c963adc ipatests: update the timemout for test_ipa_cert_fix.py in nightlies

Login to comment on this ticket.

Metadata