Commit Graph

19 Commits

Author SHA1 Message Date
Martin Babinsky
3d2feac0e4 Adopted kinit_keytab and kinit_password for kerberos auth
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-20 08:27:35 +00:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
a63df8f309 Fix CA certificate renewal syslog alert
https://fedorahosted.org/freeipa/ticket/4820

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 17:48:26 +00:00
Jan Cholasta
1f6fff2b5a Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.

https://fedorahosted.org/freeipa/ticket/4784

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:16:49 +01:00
Jan Cholasta
423c3e8f34 Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.

https://fedorahosted.org/freeipa/ticket/4765

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:06:47 +01:00
Jan Cholasta
52b141ca6a Fix wrong expiration date on renewed IPA CA certificates
The expiration date was always set to the expiration date of the original
certificate.

https://fedorahosted.org/freeipa/ticket/4717

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-19 14:25:26 +00:00
Jan Cholasta
2cf0f0a658 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-05 15:26:42 +01:00
Jan Cholasta
35947c6e10 Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.

https://fedorahosted.org/freeipa/ticket/4628

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-30 10:51:36 +01:00
Jan Cholasta
a649a84a1b Handle profile changes in dogtag-ipa-ca-renew-agent
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-29 15:06:05 +01:00
Jan Cholasta
61159b7ff2 Check that renewed certificates coming from LDAP are actually renewed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
031096324d Alert user when externally signed CA is about to expire.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
35857026e6 Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Jan Cholasta
cf6edf4a92 Support exporting CSRs in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:56 +01:00
Jan Cholasta
b5d082ec4d Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
a356c3806b Support storing renewed certificates to LDAP in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
bbb2af5016 Support retrieving renewed certificates from LDAP in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
bab88eb1ed Add new certmonger CA helper dogtag-ipa-ca-renew-agent.
The helper will be used to handle CA-related certificate renewal requests.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00