[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden
rcritten at redhat.com
Mon Jun 30 17:36:23 UTC 2014
Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 26.6.2014 20:05, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 16.6.2014 15:35, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patches implement
>>>>> <https://fedorahosted.org/freeipa/ticket/3737>.
>>>>>
>>>>> My patches 241-253 and 262-294 are required for this
>>>>> (<http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html>,
>>>>>
>>>>> <http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html>).
>>>>>
>>>>>
>>>>> The installation/testing guidelines from
>>>>> <http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html>
>>>>> apply here as well.
>>>>>
>>>>> Honza
>>>>
>>>> Rebased on top of current master.
>>>
>>> 295 ACK
>>>
>>> 296, 297 & 299
>>>
>>> TBD, need to test but no problems seen so far.
>>>
>>> 298
>>>
>>> The man page, if not usage, should include what the valid trust flags
>>> are or point to NSS documentation.
>>
>> OK.
>>
>>>
>>> rob
>>>
>>
>> Updated rebased patches attached. Also attaching all the required patches.
>>
A few more things after more testing.
If one renews an externally-issued CA then you can end up with multiple
certs for the IPA CA in /etc/pki/nssdb (for each issued cert). These do
not seem to be cleaned up on uninstall.
On upgrade from 3.3.5 seeing:
Unexpected error - see /var/log/ipaupgrade.log for details:
InvalidSyntax: object class ipaCertificate: Unknown required attribute
type "ipaPublicKey": Invalid syntax.
/var/log/ipaupgrade ends with:
2014-06-30T15:03:11Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2014-06-30T15:08:12Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 640, in run_script
return_value = main_function()
File "/usr/sbin/ipa-upgradeconfig", line 1171, in main
ds.start(ds_serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 297, in start
self.service.start(instance_name, capture_output=capture_output,
wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 262, in start
self.wait_for_open_ports(self.service_instance(instance_name))
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 228, in wait_for_open_ports
self.api.env.startup_timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
1153, in wait_for_open_ports
raise socket.timeout()
2014-06-30T15:08:12Z DEBUG The ipa-upgradeconfig command failed,
exception: timeout:
Turns out it blew up so badly that it didn't restore dse.ldif when the
upgrade finished, something I thought was impossible. This is a pretty
serious problem in itself (and likely unrelated to these patches).
rob
More information about the Freeipa-devel
mailing list