Run tests against task 376285 #77
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://git.altlinux.org/tasks/376285: - removed: tomcatjss - added: resteasy 3.0.26-alt2_17jpp11 - added: jss 5.6.0-alt1 - added: ldapjdk 5.6.0-alt1 - added: dogtag-pki 11.6.0-alt1
There has always been a pki-server commnd acme-remove. We were not aware that it should be called prior to removing a CA. In 11.5.0 this is strongly encouraged by the PKI team. In 11.6.0 ACME is treated as a full subsystem so will be removed in the future using pkidestroy -s ACME The new class acmeinstance.ACMEInstance is introduced so its uninstallation can be handled in a similar way as the other PKI services via DogtagInstance. It is, right now, a pretty thin wrapper. We can discuss moving the ACME installation routines here at some point. It would be ok as long as we don't have to introduce another PKI restart as part of it. In PKI 11.6.0 pkidestroy has new options to ensure a clean uninstall: --remove-conf --remove-logs. Pass those options into pkidestroy calls for 11.6.0+. Clean up an additional IPA-generated file that needs to be cleaned up during uninstall: /root/kracert.p12. 11.6.0 is more sensitive to leftover files than previous versions. Fixes: https://pagure.io/freeipa/issue/9673 Fixes: https://pagure.io/freeipa/issue/9674 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The conditional was <= 11.5.0 which it should have been < 11.6.0 to allow for small updates to the 11.5.0 branch. Fixes: https://pagure.io/freeipa/issue/9673 Fixes: https://pagure.io/freeipa/issue/9674 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
We fork out to pki-server to uninstall the ACME service and the results are very coarse, currently just a pass/fail. This can lead to displaying very long tracebacks as an error message. So check for the existence of the acme path and only invoke the uninstaller if it exists. Fixes: https://pagure.io/freeipa/issue/9740 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
After the KRA transport cert has been renewed, the value of ca.connector.KRA.transportCert must also be updated in /etc/pki/pki-tomcat/ca/CS.cfg. Otherwise replica installation with KRA fails. Fixes: https://pagure.io/freeipa/issue/9692 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It was being written out in base-64 only. The PKI team gave us a heads-up that that may not always be supported. So use a standard PEM file instead. Fixes: https://pagure.io/freeipa/issue/9735 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
IPA defines a startup timeout that is primarily used during installation to extend service start-up timeouts on slower systems. This tends to work ok when runing pki-spawn but can fail when systemd is starting the tomcat service. Use the value of startup_timeout to set TimeoutStartSec in the pki-tomcat systemd override file ipa.conf. This will preserve the necessary startup_timeout for all future restarts. This was seen with a very slow HSM where installation was successful (pki-spawn) but pki-tomcatd startup timed out at the end of the installation. To increase the value in installation one needs to create the file /etc/ipa/installer.conf with contents: [global] startup_timeout = 300 (or whatever) Fixes: https://pagure.io/freeipa/issue/9743 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We had it set to 120 seconds while the systemd default is 90. They should be the same because the first one that times out "wins". Move where during the installation we create the systemd override file so that the timeout will be applied across all subsequent server starts during and post installation. Fixes: https://pagure.io/freeipa/issue/9743 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since PKI v10.8.0 the PKIConnection object can longer be created for a specific subsystem. The client that consumes the connection specifies the subsystem instead. Use this new API unconditionally as we require PKI >= 10.10.0 and what is available in supported repos is generally 11.5.0+. See https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes Fixes: https://pagure.io/freeipa/issue/9691 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://git.altlinux.org/tasks/376285: