URL: https://github.com/freeipa/freeipa/pull/4172
Author: frasertweedale
Title: #4172: [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed
Action: opened
PR body:
"""
(manual backport of https://github.com/freeipa/freeipa/pull/4148)
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4172/head:pr4172
git checkout pr4172
URL: https://github.com/freeipa/freeipa/pull/4171
Author: frasertweedale
Title: #4171: [Backport][ipa-4-7] Do not renew externally-signed CA as self-signed
Action: opened
PR body:
"""
(manual backport of https://github.com/freeipa/freeipa/pull/4148)
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4171/head:pr4171
git checkout pr4171
URL: https://github.com/freeipa/freeipa/pull/4170
Author: frasertweedale
Title: #4170: [Backport][ipa-4-8] Do not renew externally-signed CA as self-signed
Action: opened
PR body:
"""
This PR was opened automatically because PR #4148 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4170/head:pr4170
git checkout pr4170
URL: https://github.com/freeipa/freeipa/pull/4173
Author: wladich
Title: #4173: [Backport][ipa-4-6] ipatests: fix collection of tests from test_trust suite
Action: opened
PR body:
"""
This is a manual backport of #4154
Commit 969b4c87 which added test_extdom_plugin case also mistakenly
renamed class from TestTrust to BaseTestTrust. As pytest collects tests
only from classes staring with "Test", no tests are now executed in
test_trust module.
Fixing by partially reverting said commit
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4173/head:pr4173
git checkout pr4173
URL: https://github.com/freeipa/freeipa/pull/4148
Author: frasertweedale
Title: #4148: Do not renew externally-signed CA as self-signed
Action: opened
PR body:
"""
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4148/head:pr4148
git checkout pr4148
URL: https://github.com/freeipa/freeipa/pull/4145
Author: wladich
Title: #4145: ipatests: fix collection of tests from test_trust suite
Action: opened
PR body:
"""
Commit 969b4c87 which added test_extdom_plugin case also mistakenly
renamed class from TestTrust to BaseTestTrust. As pytest collects tests
only from classes staring with "Test", no tests are now executed in
test_trust module.
Fixing by partially reverting said commit
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4145/head:pr4145
git checkout pr4145
URL: https://github.com/freeipa/freeipa/pull/4165
Author: rcritten
Title: #4165: [Backport][ipa-4-8] Add delete option to ipa-cacert-manage to remove CA certificates
Action: opened
PR body:
"""
This PR was opened automatically because PR #4142 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4165/head:pr4165
git checkout pr4165
URL: https://github.com/freeipa/freeipa/pull/4142
Author: rcritten
Title: #4142: Add delete option to ipa-cacert-manage to remove CA certificates
Action: opened
PR body:
"""
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4142/head:pr4142
git checkout pr4142