Change replica installation to allow the CS be optionally installable.
That would require changes to the replica installation including changes to the arguments. That would lead to new tests and changes to man pages.
This ticket is related to ticket #1031.
Open question is can you create a replica package on the replica that does not have CS.
Seems like Martin is in a good shape for Sprint 2 so Martin is a logical choice :-)
Replying to [comment:2 dpal]:
Currently, we cannot do this. There is already a ticket for that: #1267. User would have to create a replica package on a server with CS.
Replying to [comment:4 mkosek]:
Replying to [comment:2 dpal]: Open question is can you create a replica package on the replica that does not have CS. Currently, we cannot do this. There is already a ticket for that: #1267. User would have to create a replica package on a server with CS.
I was under the impression that ticket #1267 is about self sign use case. If it is also about Dogtag CS case than we should fix it in 2.1. Otherwise we should keep it in 2.2 and understand what else is preventing the replica package to be created with CS.
attachment freeipa-rcrit-805-dogtag.patch
Suggestions to test:
Dogtag install with full CA on both servers
on master
# ipa-server-install # ipa-replica-prepare <your_replica> # kinit admin # ipa cert-show 10
on replica
# ipa-replica-install <your_info_file> --setup-ca # kinit admin # ipa cert-show 10 # tail /var/log/httpd/error_log
You should see a cert_show meaning that the local CA was used.
Create a cert to make sure cert replication works
# mkdir /tmp/testdb # certutil -N -d /tmp/testdb # certutil -R -s "CN=myserver.mydomain.net, O=MYDOMAIN.NET" \ -d /tmp/testdb -a > example.csr # ipa cert-request --add --principal=test/myserver.mydomain.net example.csr
Now jump to the master and run:
# ipa cert-show <serial-number-of-new-cert>
Now uninstall both servers.
Dogtag install without dogtag on replica:
You should NOT see a cert_show meaning that the remote CA was used.
Now add dogtag to the replica
# ipa-ca-install <your_info_file>
Now the cert should be visible locally
# ipa cert-show 10 # tail /var/log/httpd/error_log
Finally request another new cert, we can use the same CSR:
# ipa cert-request --add --principal=test2/myserver.mydomain.net example.csr # tail /var/log/httpd/error_log # ipa cert-show <serial-number> # tail /var/log/httpd/error_log
The first tail should show that the cert was issued locally. The second should mean it was shown locally. Note that the serial number should be quite different.
Now jump onto the master and show that the cert was replicated:
# ipa cert-show <serial-number>
Additional tests might involve: - Passing some arguments and not others to confirm that the required things are prompted for - Run with -U to make sure everything is required in unattended mode - Try ipa-ca-install on a selfsign install - Check the man page
master: 8a32bb3
ipa-2-0: 3b039e0
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1 - 2011/06
Login to comment on this ticket.