Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/pki/ticket/2275 Dogtag has only one switch -- ca.publish.enable for both CRLs and certs. If cert publishing is not wanted and not set up (rules etc)., then errors can be found in the system log about publishing errors for each cert. We need two new config parameters - ca.publishing.cert.enable and ca.publishing.crl.enable which default to True. The old ca.publishing.enable parameter will still exist. If either is set to false, though, we would expect publishing not to be attempted. In fact, it would be better if the threads for those publishers were not even started.
commit f0551f75618cd30de3efc3154f37a5f53504896c Author: Ade Lee <alee@redhat.com> Date: Wed May 18 15:33:36 2016 -0400 Add parameters to disable cert or crl publishing Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured. As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing. Specifically: to enable/disable both cert and crl publishing: ca.publish.enable = True/False? This is the legacy behavior. to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False Ticket 2275
Build used for verification: [root@auto-hv-02-guest09 certdb]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 3.el7 Architecture: noarch Install Date: Friday 05 May 2017 01:31:47 AM EDT Group : System Environment/Base Size : 2086078 License : GPLv2 Signature : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-3.el7.src.rpm Build Date : Tuesday 02 May 2017 03:15:26 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework Enable crl publishing only ca.publish.enable = True ca.publish.cert.enable = False After setting the above flags crl publishing works as expected Enable cert publishing only ca.publish.enable = True ca.publish.crl.enable = False After setting above flags cert publishing is working as expected as well. When ca.publish.enable = False both cert and crl publishing is disabled, which is the legacy behaviour.
Doc text looks good.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110