Bug 1325071 - add options to enable/disable cert or crl publishing.
Summary: add options to enable/disable cert or crl publishing.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Ade Lee
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-08 06:59 UTC by Thorsten Scherf
Modified: 2017-08-01 22:46 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: Enhancement
Doc Text:
Certificate System now supports enabling and disabling certificate and CRL publishing Prior to this update, if publishing was enabled in a certificate authority (CA), Certificate System automatically enabled both certificate revocation list (CRL) and certificate publishing. Consequently, on servers that did not have certificate publishing enabled, error messages were logged. Certificate System has been enhanced, and now supports enabling and disabling certificate and CRL publishing independently in the `/var/lib/pki/<instance>/ca/conf/CS.cfg` file. To enable or disable both certificate and CRL publishing, set: ca.publish.enable = True|False To enable only CRL publishing, set: ca.publish.enable = True ca.publish.cert.enable = False To enable only certificate publishing, set: ca.publish.enable = True ca.publish.crl.enable = False
Clone Of:
Environment:
Last Closed: 2017-08-01 22:46:01 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2110 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Thorsten Scherf 2016-04-08 06:59:00 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2275

Dogtag has only one switch -- ca.publish.enable for both CRLs and certs.

If cert publishing is not wanted and not set up (rules etc)., then errors can be found in the system log about publishing errors for each cert.

We need two new config parameters - ca.publishing.cert.enable and ca.publishing.crl.enable which default to True.  The old ca.publishing.enable parameter will still exist.

If either is set to false, though, we would expect publishing not to be attempted.  In fact, it would be better if the threads for those publishers were not even started.

Comment 1 Matthew Harmsen 2017-01-07 00:51:21 UTC
commit f0551f75618cd30de3efc3154f37a5f53504896c Author: Ade Lee <​alee@redhat.com> Date: Wed May 18 15:33:36 2016 -0400

    Add parameters to disable cert or crl publishing

    Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured.

    As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing.

    Specifically:

    to enable/disable both cert and crl publishing: ca.publish.enable = True/False? 

        This is the legacy behavior.

    to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False 

    to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False 

    Ticket 2275

Comment 3 Sumedh Sidhaye 2017-05-05 11:26:59 UTC
Build used for verification:

[root@auto-hv-02-guest09 certdb]# rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 3.el7
Architecture: noarch
Install Date: Friday 05 May 2017 01:31:47 AM EDT
Group       : System Environment/Base
Size        : 2086078
License     : GPLv2
Signature   : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-3.el7.src.rpm
Build Date  : Tuesday 02 May 2017 03:15:26 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework


Enable crl publishing only

  ca.publish.enable = True
  ca.publish.cert.enable = False

After setting the above flags crl publishing works as expected 

Enable cert publishing only

  ca.publish.enable = True
  ca.publish.crl.enable = False

After setting above flags cert publishing is working as expected as well.

When ca.publish.enable = False both cert and crl publishing is disabled, which is the legacy behaviour.

Comment 5 Ade Lee 2017-07-26 16:07:29 UTC
Doc text looks good.

Comment 6 errata-xmlrpc 2017-08-01 22:46:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.