[Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory
Rob Crittenden
rcritten at redhat.com
Mon Oct 8 18:18:47 UTC 2012
Martin Kosek wrote:
> Currently, CRL files are being exported to /var/lib/pki-ca
> sub-directory, which is then served by httpd to clients. However,
> this approach has several disadvantages:
> * We depend on pki-ca directory structure and relevant permissions.
> If pki-ca changes directory structure or permissions on upgrade,
> IPA may break. This is also a root cause of the latest error, where
> the pki-ca directory does not have X permission for others and CRL
> publishing by httpd breaks.
> * Since the directory is not static and is generated during
> ipa-server-install, RPM upgrade of IPA packages report errors when
> defining SELinux policy for these directories.
>
> Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
> both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
> configuration does not report any error. The new CRL publish directory
> is used for both new IPA installs and upgrades, where contents of
> the directory (CRLs) is first migrated to the new location and then the
> actual configuration change is made.
>
> https://fedorahosted.org/freeipa/ticket/3144
>
>
> -------
>
> We may choose to postpone this patch to later version, it is quite disruptive.
> I can produce a hotfix in that case, which would only fix the permission of the
> pki-ca directory.
>
> Martin
This looks good, just a couple of questions.
Should the old files be removed?
Should some error handling be added around the copy to ensure it is
successful? This would blow up if the disk was full, for example.
rob
More information about the Freeipa-devel
mailing list