Bug 1392582

Summary: foward port NSS OCSP cache settings
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Abhijeet Kasurde <akasurde>
Severity: urgent Docs Contact: Vladimír Slávik <vslavik>
Priority: urgent    
Version: 7.4CC: dpal, ipa-qe, ksiddiqu, nkinder, nsoman, rbost, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: mod_nss-1.0.14-8.el7 Doc Type: Release Note
Doc Text:
New cache configuration options for *mod_nss* This update adds new options to control cahing of OCSP responses to the *mod_nss* module. The new options allow the user to control: * Time to wait for OCSP responses * Size of the OCSP cache * Minimum and maximum duration for an item's presence in cache, including not caching at all
Story Points: ---
Clone Of: 1390359 Environment:
Last Closed: 2017-08-01 16:53:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1390359, 1451576    
Bug Blocks: Red Hat1399979    
Description Flags
console.log none

Comment 7 Abhijeet Kasurde 2017-05-17 05:37:09 UTC
Unable to generate certificate using `ipa cert-request` command. Marking this BZ as failed QA.

[root@master1 ~]# openssl req -new -sha256 -key testuser1.key -out testuser1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:RED HAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser1
Email Address []:testuser1

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@master1 ~]# ipa cert-request testuser1.csr --principal=testuser1
ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses

IPA version:: ipa-server-4.5.0-11.el7.x86_64

Comment 8 Abhijeet Kasurde 2017-05-17 06:11:22 UTC
Moving back to ON_QA. This depends on #1451576

Comment 9 Abhijeet Kasurde 2017-05-23 12:24:52 UTC
Verified using mod_nss version :: mod_nss-1.0.14-10.el7.x86_64

Marking BZ as verified. See attachment for console.log.

Comment 10 Abhijeet Kasurde 2017-05-23 12:25:21 UTC
Created attachment 1281534 [details]

Comment 11 errata-xmlrpc 2017-08-01 16:53:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.