URL: https://github.com/freeipa/freeipa/pull/1359
Author: frasertweedale
Title: #1359: install: report CA Subject DN and subject base to be used
Action: opened
PR body:
"""
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1359/head:pr1359
git checkout pr1359
URL: https://github.com/freeipa/freeipa/pull/1358
Author: Rezney
Title: #1358: test_x509: test very long OID
Action: opened
PR body:
"""
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.
https://pagure.io/freeipa/issue/7300
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1358/head:pr1358
git checkout pr1358
URL: https://github.com/freeipa/freeipa/pull/1382
Author: tiran
Title: #1382: [Backport][ipa-4-6] Making ipa-ca-install more resilient
Action: opened
PR body:
"""
This PR was opened automatically because PR #1232 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1382/head:pr1382
git checkout pr1382
URL: https://github.com/freeipa/freeipa/pull/1381
Author: tiran
Title: #1381: [Backport][ipa-4-6] ipatest: replica install with existing entry on master
Action: opened
PR body:
"""
This PR was opened automatically because PR #1320 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1381/head:pr1381
git checkout pr1381
URL: https://github.com/freeipa/freeipa/pull/1232
Author: frasertweedale
Title: #1232: Making ipa-ca-install more resilient
Action: opened
PR body:
"""
, or: *Proactively run ipa-certupdate for great good!*
These commits fix a couple of issues that can occur after a deployment has been
promoted from CA-less to CA-ful, and the admin does not follow up with
`ipa-certupdate`. (And why should they have to?)
```
a9ad3b5ab (Fraser Tweedale, 6 days ago)
Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using ipa-ca-install),
the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA framework
and Dogtag (it cannot verify the Dogtag server certificate).
Perform a CertUpdate as the final step when promoting a CA-less deployment
to CA-ful.
Fixes: https://pagure.io/freeipa/issue/7230
21fbf7088 (Fraser Tweedale, 7 days ago)
ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that the
relevant CA cert is present. This is necessary if the admin has just
promoted the topology from CA-less to CA-ful but didn't manually run
ipa-certupdate afterwards.
Fixes: https://pagure.io/freeipa/issue/6577
9520781fb (Fraser Tweedale, 7 days ago)
CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other programs
(e.g. as a first step of ipa-ca-install). Refactor
ipa_certupdate.CertUpdate to make it easy to do that. In particular, make
it possible to use an already-initialised API object.
Part of: https://pagure.io/freeipa/issue/6577
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1232/head:pr1232
git checkout pr1232
URL: https://github.com/freeipa/freeipa/pull/1347
Author: frasertweedale
Title: #1347: Prevent set_directive from clobbering other keys
Action: opened
PR body:
"""
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
-----
Cause: corner case.
How to test:
1. ensure `ca.sslserver.certreq=<base64 CSR>` exists in `ca/CS.cfg`.
2. resubmit Certmonger tracking request for `Server-Cert cert-pki-ca` Dogtag system cert.
3. verify that `ca.sslserver.certreq=<base64 CSR>` still exists in `ca/CS.cfg`.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1347/head:pr1347
git checkout pr1347
URL: https://github.com/freeipa/freeipa/pull/1376
Author: abbra
Title: #1376: [Backport][ipa-4-6] Trust avoid mitkrb trust
Action: opened
PR body:
"""
This PR was opened automatically because PR #1294 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1376/head:pr1376
git checkout pr1376
URL: https://github.com/freeipa/freeipa/pull/1355
Author: rcritten
Title: #1355: [Backport][ipa-4-6] Use the user-provided CA chain file in connections & check for file existence
Action: opened
PR body:
"""
This PR was opened automatically because PR #1047 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1355/head:pr1355
git checkout pr1355