Discussion:
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
HonzaCholasta
2017-05-18 05:56:33 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
HonzaCholasta
2017-05-18 06:00:16 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

HonzaCholasta commented:
"""
Fixed kdc.conf upgrade.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-302308896
HonzaCholasta
2017-05-18 07:06:43 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
HonzaCholasta
2017-05-18 08:22:06 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
stlaz
2017-05-19 07:16:57 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
Upgrade from 4.4 to 4.5 during external-CA installation prints error messages, related log:
```
2017-05-19T07:08:04Z INFO [Setup PKINIT]
2017-05-19T07:08:04Z DEBUG raw: ca_is_enabled(version=u'2.225')
2017-05-19T07:08:04Z DEBUG ca_is_enabled(version=u'2.225')
2017-05-19T07:08:04Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2017-05-19T07:08:09Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)
2017-05-19T07:08:09Z ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE)
2017-05-19T07:08:09Z ERROR Failed to configure PKINIT
2017-05-19T07:08:09Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2017-05-19T07:08:14Z DEBUG certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
2017-05-19T07:08:14Z DEBUG Starting external process
```
but as you can see, CA is enabled and running.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-302628299
stlaz
2017-05-19 07:22:42 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
Did not realize this was unrelated to your patches. Please rebase.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-302629319
HonzaCholasta
2017-05-19 07:39:09 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
stlaz
2017-05-19 08:09:37 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

Label: +ack
MartinBasti
2017-05-19 10:33:07 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

Label: +pushed
MartinBasti
2017-05-19 10:33:09 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

MartinBasti commented:
"""
master:

* 235265a5f5436148dd8d7e63b7e3928689796560 certdb: add named trust flag constants
* f0442a2d0ed54abe6567fce6d99fd31f7c6c7883 certdb, certs: make trust flags argument mandatory
* 52730c786f6bb11aa7992b11fa0f5c94c90f9eb8 certdb: use custom object for trust flags
* 01a7416d305ddb11d5b83c99afbacf8ba854c148 install: trust IPA CA for PKINIT
* 11b8a3434655932fa73f05d4bd864bed0194035c client install: fix client PKINIT configuration
* 4d36cbf6ad412822b8fb029f517f9228e2c8d4ee install: introduce generic Kerberos Augeas lens
* f769045f0ae9c5fdc651e03c0c96af9cdec8f298 server install: fix KDC PKINIT configuration
* b9fd123d61fa7adda090c05216906ba0cf4779a9 ipapython.ipautil.run: Add option to set umask before executing command
* 0c5b2c42bf52dc75ecf9d95036ca8517670877d6 certs: do not export keys world-readable in install_key_from_p12
* cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f certs: do not export CA certs in install_pem_from_p12
* 3b5dbf7cdb4c03260057c8f7a2abd5c5712eca41 server install: fix KDC certificate validation in CA-less
* b3855704f479eaf122139189b762b943b2dcc0fc replica install: respect --pkinit-cert-file
* 9ea764ecf5c3118df0917d94c4940b4ee38b3a31 cacert manage: support PKINIT
* 96ca62f81d3505b050eb9b9d71d4fc4c18e1535e server certinstall: support PKINIT


"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-302669009
MartinBasti
2017-05-19 10:33:10 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758

Loading...