%global systemd 1

%global	sysvinit 0

%global systemdsysv 0

%global tmpfiles 1

%global sysvinitdir %{_initddir}

%bcond_without xmlrpc

Name:		certmonger

Version:	0.79.17

Release:	2%{?dist}

Summary:	Certificate status monitor and PKI enrollment client

Group:		System Environment/Daemons

License:	GPLv3+

URL:		http://pagure.io/certmonger/

Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz

#Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig

Patch0001:	0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch

Patch0002:	0002-Don-t-run-the-002-keygen-tests-when-root.patch

BuildRequires:	autoconf

BuildRequires:	automake

BuildRequires:	gettext-devel

BuildRequires:	gcc

BuildRequires:	openldap-devel

BuildRequires:	libidn2-devel

BuildRequires:	python3-dbus

BuildRequires:	dbus-devel

BuildRequires:	nspr-devel

BuildRequires:	nss-devel

BuildRequires:	openssl-devel

BuildRequires:	libuuid-devel

BuildRequires:	libtalloc-devel, libtevent-devel

BuildRequires:	libcurl-devel

BuildRequires:	libxml2-devel

%if %{with xmlrpc}

BuildRequires:	xmlrpc-c-devel

%endif

BuildRequires:	jansson-devel

# Required for 'make check':

#  for diff and cmp

BuildRequires:	diffutils

#  for expect

BuildRequires:	expect

#  for certutil and pk12util

BuildRequires:	nss-tools

#  for openssl

BuildRequires:	openssl

#  for dbus-launch

BuildRequires:	/usr/bin/dbus-launch

#  for dos2unix

BuildRequires:	/usr/bin/dos2unix

BuildRequires:	/usr/bin/unix2dos

#  for which

BuildRequires:	/usr/bin/which

BuildRequires:	popt-devel

#  for make check

BuildRequires:	python3-devel

BuildRequires:	krb5-devel

# we need a running system bus

Requires:	dbus

Requires(post):	%{_bindir}/dbus-send

%if %{systemd}

BuildRequires:	systemd-units

Requires(post):	systemd-units

Requires(preun):	systemd-units, dbus, sed

Requires(postun):	systemd-units

%endif

%if %{systemdsysv}

Requires(post):	systemd-sysv

%global systemdsysvsave \

# Save the current service runlevel info, in case the user wants \

# to apply the enabled status manually later, by running \

#   "systemd-sysv-convert --apply certmonger". \

%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:

%else

%global systemdsysvsave %{nil}

%endif

%if %{sysvinit}

Requires(post):	/sbin/chkconfig, /sbin/service

Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed

%endif

%description

Certmonger is a service which is primarily concerned with getting your

system enrolled with a certificate authority (CA) and keeping it enrolled.

%prep

%autosetup -p1

%build

autoreconf -i -f

%configure \

%if %{systemd}

	--enable-systemd \

%endif

%if %{sysvinit}

	--enable-sysvinit=%{sysvinitdir} \

%endif

%if %{tmpfiles}

	--enable-tmpfiles \

%endif

	--with-homedir=/run/certmonger \

%if %{with xmlrpc}

	--with-xmlrpc \

%endif

	--with-tmpdir=/run/certmonger --enable-pie --enable-now

%if %{with xmlrpc}

# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just

# tell us about libxmlrpc_client, but we need more.  Work around.

make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"

%else

make %{?_smp_mflags}

%endif

%install

rm -rf $RPM_BUILD_ROOT

make install DESTDIR=$RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}

install -m755 -d $RPM_BUILD_ROOT/run/certmonger

%{find_lang} %{name}

%check

# Seed then openssl RNG if not set

if [ ! -e $HOME/.rnd ] ; then

	openssl rand -writerand $HOME/.rnd

fi

make check

%post

if test $1 -eq 1 ; then

	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :

fi

%if %{without xmlrpc}

# remove any existing certmaster CA configuration

if test $1 -gt 1 ; then

	%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :

fi

%endif

%if %{systemd}

if test $1 -eq 1 ; then

	/bin/systemctl daemon-reload >/dev/null 2>&1 || :

fi

%endif

%if %{sysvinit}

/sbin/chkconfig --add certmonger

%endif

%triggerin -- certmonger < 0.58

if test $1 -gt 1 ; then

	# If the daemon is running, remove knowledge of the dogtag renewer.

	objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`

	if test -n "$objpath" ; then

		dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null

	fi

	# Remove the data file, in case it isn't running.

	for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do

		if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then

			rm -f "$cafile"

		fi

	done

fi

exit 0

%postun

%if %{systemd}

/bin/systemctl daemon-reload >/dev/null 2>&1 || :

if [ $1 -ge 1 ] ; then

	/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :

fi

%endif

%if %{sysvinit}

if test $1 -gt 0 ; then

	/sbin/service certmonger condrestart 2>&1 > /dev/null

fi

%endif

exit 0

%preun

%if %{systemd}

if test $1 -eq 0 ; then

	/bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || :

	/bin/systemctl stop certmonger.service > /dev/null 2>&1 || :

fi

%endif

%if %{sysvinit}

if test $1 -eq 0 ; then

	/sbin/service certmonger stop 2>&1 > /dev/null

	/sbin/chkconfig --del certmonger

fi

%endif

exit 0

%if %{systemd}

%triggerun -- certmonger < 0.43

%{systemdsysvsave}

# Do this because the old package's %%postun doesn't know we need to do it.

/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :

# Do this because the old package's %%postun wouldn't have tried.

/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :

exit 0

%endif

%files -f %{name}.lang

%defattr(-,root,root,-)

%doc README.md LICENSE STATUS doc/*.txt

%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*

%{_datadir}/dbus-1/services/*

%dir %{_sysconfdir}/certmonger

%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf

%dir /run/certmonger

%{_bindir}/*

%{_sbindir}/certmonger

%{_mandir}/man*/*

%{_libexecdir}/%{name}

%{_localstatedir}/lib/certmonger

%if %{sysvinit}

%{sysvinitdir}/certmonger

%endif

%if %{tmpfiles}

%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf

%endif

%if %{systemd}

%{_unitdir}/*

%{_datadir}/dbus-1/system-services/*

%endif

%changelog

* Wed Dec  7 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2

- Skip the keygen tests when executed as root.

* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1

- Update to upstream 0.79.17 (#2139523)

- Certificate format validation when adding the SCEP server's CA (#2150025)

- Certmonger SCEP renewal should not use old challenges (#2150030)

- certmonger SEGV during rekey in FIPS mode (#2150070)

* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5

- certmonger creates CSRs with invalid DER syntax for X509v3 extensions

  with critical=FALSE (#2012258)

* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4

- Certmonger SCEP renewal should not use old challenges (#1577570)

- Certmonger segfault after cert renewal request (#1881500)

- Include certificate NotBefore date in output of the 'getcert list' command

  (#1940261)

- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)

* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3

- Fix local CA to work under FIPS (#1950132)

* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2

- Rebuild with xmlrpc-c support enabled (#1687698)

* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1

- Rebase to 0.79.13 (#1891743)

* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15

- Replace the previous fix for dbus restarting with PartOf in the

  certmonger systemd service file to link the two (#1687698)

* Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14

- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)

* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13

- Exit gracefully if dbus is restarted (#1687698)

* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12

- Add long command-line options to man pages and help output (#1782838)

* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11

- Fix test failure in 039-fromfile

* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10

- Ensure that files read in have a trailing new-line (#1829490)

* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9

- Call the secport equivalent of PR_ErrorToString

- Remove a couple of unused varaibles found by coverity

* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8

- Move systemd tmpfiles from /var/run to /run (#1804928)

- Improve logging in the SCEP helper (#1807691)

- Fix sort order of certificates passed into PKCS7_verify (#1808052)

- Add -N option to SCEP helper to separate web server chain from

  SCEP issuer chain (#1808613)

- Add template profile, MS v2 template and issuer to getcert list

  output (#1734451)

* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7

- Update gating requirements

* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6

- Rebuild

* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5

- Fix use-after-free issue when retrieving CA chain (#1710632)

* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4

- Optimize closing of file descriptors on fork (#1763745)

- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)

- Retrieve full IPA CA chain (#1710632)

* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3

- Rebuild for new annobin (#1708095)

* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2

- Rebuild for new annobin (#1708095)

* Thu May  9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1

- Rebase to 0.79.7 (#1708095)

* Mon Oct  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5

- Address more issues uncovered by static analysis (#1632449)

* Tue Oct  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4

- Improve handling of NSS tokens (#1624930)

- Pull in upstream fixes discovered in coverity and clang (#1632449)

* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3

- Add BuildRequires on python3-devel (#1615507)

* Thu Aug  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-2

- Fix test failure on some platforms

* Wed Aug  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1

- Update to upstream 0.79.6

- Fix unit tests to work with python 3

* Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6

- Fix unit tests. NSS crypto policy disallows keys < 1024

* Wed Feb 21 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-5

- Add BuildRequires on gcc

* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.5-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Wed Jan 10 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-3

- Remove BR on mktemp. It is now provided by coreutils.

- Patch to fix NSS handling of keys in sqlite databases

- Patches to fix tests now that sqlite is the NSS default.

* Wed Oct  4 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-2

- Switch BR from /usr/include/popt.h to popt-devel

* Fri Sep  1 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-1

- update to 0.79.5:

   - getcert start-tracking: use issuer option when specified

   - add support for specifying the MS certificate template

   - Reformat certificates returned by Dogtag to strip extra newline

* Wed Aug 16 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-2

- Reformat certificates returned by Dogtag. Dogtag was including

  a spurious newline before -----END CERTIFICATE-----

* Mon Aug  7 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-1

- update to 0.79.4

  - fix CA option name for ipa cert-request

  - fix minor memory leak

  - fix build warnings

  - fix an incorrect date in the .spec changelog

  - bump gettext version to avoid warning

* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Tue Feb 28 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.3-1

- update to 0.79.3:

  - fix self-signing self-test cases that used DSA or EC keys

* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-2

- update %%docs list because README is now README.md

* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-1

- update to 0.79.2:

  - fix 'make distcheck' target

* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.1-1

- update to 0.79.1:

  - update translations

  - fix 'make archive' target

* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79-1

- update to 0.79:

  - getcert now offers an option (-X) for requesting processing by a particular

    CA if the server we're contacting is running more than one

  - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for

    requesting BasicConstraints values

  - getcert now displays times in local time instead of UTC, which was

    previously the only way they were displayed; the --utc option can often be

    used to switch back to its previous behavior

  - the SCEP enrollment helper now correctly issues GetCACertChain requests to

    SCEP servers, instead of issuing a GetCAChain request, which isn't part of

    the protocol; from report by Jason Garland

  - when issuing SCEP requests, the ID of the CA included in the HTTP request

    is now URL-encoded, as it should be

  - renewal or notification-of-impending-expiration logic is now triggered

    closer to TTL thresholds rather than waiting for a periodic check to pass a

    threshold

  - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz

    for a lot of the legwork

- resync .spec file with Fedora

- upstream project migrated from fedorahosted.org to pagure.io

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Sat Jan 21 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.78.6-5

- Rebuild for xmlrpc-c

* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-4

- add backported fix to wait a reasonable amount of time after calling the

  'resubmit' method for a new certificate to be issued when we're exercising

  the D-Bus API during tests (Jan Cholasta, #1351052)

* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-3

- instead of using killall to send a SIGHUP to the system bus daemon in %%post

  to get it to reload its configuration, use dbus-send to send a ReloadConfig

  request over the bus (should fix #1277573)

* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Wed Jan 13 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-1

- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit

- stop checking that we can generate 512 bit keys during self-tests

* Thu Nov 12 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.5-1

- fix a possible uninitialized memory read (possibly #1260871)

- log a diagnostic error when we fail to initialize libkrb5

* Tue Aug  4 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.4-1

- fix the "getcert start-tracking" -L and -l options (#1249753)

- output diagnostics about the second request when scep-submit encounters an

  error during a second request to the SCEP server

* Mon Jul 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.3-1

- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit

  and the -O and -o flags to dogtag-submit (#1244914)

* Thu Jul  9 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.2-1

- tweak initialization so that we set up for providing our D-Bus API before we

  register our name with the bus, so that we can handle any requests that

  arrive before the acknowledgement of that registration

- on systems that run systemd, add the right data file so that the service gets

  started when someone tries to talk to the daemon (ticket #38)

- correctly check for error responses when sending GetCAChain requests to SCEP

  servers

* Sun Jun 21 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.1-1

- self-tests: assume that certutil won't generate DSA keys with more than 1024

  bits, and will often short us by a few

* Sat Jun 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78-1

- switch to using popt for parsing command line arguments, continuing to

  use old help text for now so that we can catch up with translations (print

  old text for --help, new text (with longopts!) for -H)

- add some plumbing for eventually receiving per-certificate roots in

  addition to issued certificates and chain certificates

- add a "rekey" command to getcert, for triggering enrollment using a new

  key pair (#1087932)

- scep-submit: check for the Renewal capability, and default to taking

  advantage of it during rekeying, unless the new -n flag is specified to it

- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs

  to the helper (part of ticket #12)

- dogtag-submit: add a flag for using the agent creds to do TLS client auth

  while submitting enrollment requests (more of ticket #12)

- dogtag-submit: handle cases where we submit a request and the server

  returns a success code rather than just queuing the request (#12 again)

- ipa-submit: pass requested profile names to the server as an argument

  named "profile_id"; if the server gives us an "unrecognized argument"

  error, retry without it for compatibility's sake (part of IPA ticket #57)

- keygen: fix a possible crash if keygen fails to return a key from NSS

- correct the certmonger(8) man page's description of the -c flag, which it

  used to call the -C flag

- add logic for setting ownership and permissions on certificates and keys

  when saving them to disk

- add configuration options "max_key_lifetime" and "max_key_use_count" for

  making automatic renewal prefer rekeying

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.77.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Thu May 28 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.5-1

- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request

  includes IP address subjectAltName values

- correctly verify signatures on SCEP server replies when the signer is neither

  the top-level CA nor the RA (feedback in #1161768)

- correctly verify signatures on SCEP server replies when there is more than

  one certificate in the chain between the RA and the top-level CA (feedback in

  #1161768)

* Fri May 15 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.4-1

- don't display PINs in "getcert list" output (#42)

- clean up launching of a private instance in "getcert"

- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's

  own safety checks have an effect

- backport record-keeping of key generation dates and counts of how many

  times we've gotten certificates using a given key pair

* Thu May  7 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.3-1

- fix a data loss bug when saving renewed certificates to NSS databases - the

  private key could be removed in error since 0.77

- fixes for bugs found by static analysis

- fix self-tests when built with OpenSSL 1.0.2

* Tue Apr 14 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.2-1

- expose the certificate's not-valid-before and not-valid-after dates as a

  property over D-Bus (ticket #41)

- give the local signer its own configuration option to set the lifetime

  of its signing certificate, falling back to the lifetime configured for

  the self-signer as a default to match the previous behavior

- fix a potential read segfault parsing the output of an enrollment helper,

  introduced in 0.77 (thanks to Steve Neuharth)

- read the ns-certtype extension value in certificates

- request an enrollment certtype extension to CSRs if we have a profile name

  that we want to use (ticket #17, possibly part of IPA ticket #57)

* Fri Feb 27 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.1-1

- update to 0.77

  - add initial, still rough, SCEP support (#1140241,#1161768)

    - add an scep-submit helper to handle part of it

  - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands

  - getcert: add -l, -L flags to request/resubmit/start-tracking commands

    to provide a way to set a ChallengePassword in signing requests

  - lay some groundwork for rekeying support

  - bundled dogtag enrollment helpers now output debugging info to stderr (#)

  - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)

  - getcert: fix displaying of pre-request pre-/post-save commands (#1178190,

    #1181022, patch by David Kupka)

  - use Zanata for translations

  - getcert list: list the certificate's profile name, if it contains one

* Tue Nov 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.8-1

- dogtag-submit: accept additional options to pass to the server when

  approving requests using agent creds (#1165155, patch by Jan Cholasta)

- getcert: print help output when 'status' isn't given any args (#1163541)

* Tue Nov 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.7-1

- correctly read CA not-valid-after dates on 32-bit machines (also reported by

  Natxo Asenjo), so that we don't spin on polling them (#1163023)

* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.6-1

- don't discard the priority value in DNS SRV records

* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.5-1

- avoid premature exit on CA data analysis failures (should fix an issue

  reported by Natxo Asenjo)

* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.4-1

- fix a failure in self-tests

* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.3-1

- fixes for bugs found by static analysis

- handle IDN correctly when doing service location using SRV records

- documentation updates

* Wed Nov  5 2014 Nalin Dahyabhai <nalin@redhat.com>

- rework the state machine so that we save an issued certificate's associated

  CA certificates, then re-read the certificate, then run the post hook and

  issue notifications, in that order, instead of saving CA certificates after

  running the post hook, which was always a surprising order (#1131700)

- add a generic dogtag-submit helper that doesn't include any IPA defaults,

  to make it easier to know the difference between paramenters it requires

  and parameters which are optional (#12)

* Tue Nov  4 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.2-1

- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,

  use discovery to find them (#1136900)

* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.1-1

- allow for 'certmonger -P abstract:...' to work, too

* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76-1

- require a single certificate to be specified to 'getcert status' (#1148001,

  #1163541, #1163539)

- shorten the default help message which getcert prints when it's not given

  a specific command (#1131704)

- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen

  for connections directly from clients running under the same UID

- add a command mode (-c) to certmonger, in which once it's started, it

  launches a specified command, and after that command exits, the daemon exits

- when getcert is invoked with no bus running, if it's running as root, run

  certmonger in private listener mode with the same invocation of getcert as

  the command to start and wait for (#1134497)

* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1

- make pathname canonicalization slightly smarter, to handle ".." in

  locations (#1131758)

- updates to self-tests (#1144082)

* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2

- Rebuild for rpm bug 1131960

* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1

- add a missing test case file (whoops)

* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1

- correct encoding/decoding of variant-typed data which we receive and send

  as part of the org.freedesktop.DBus.Properties interface over the bus, and

  add some tests for them (based on patch from David Kupka, ticket #36)

* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1

- when getcert is passed a -a flag, to indicate that CA root certificates

  should be stored in the specified database, don't ignore locations which

  don't include a storage scheme (#1129537)

- when called to 'start-tracking' with the -a or -F flags, if we have

  applicable certificates on-hand for a CA that we're either told to use

  or which we decide is the correct one, save the certificates (#1129696)

* Tue Aug  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1

- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in

  default.conf, and no "host" is set either, try to construct the server URI

  using the "server" setting (#1126985)

* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1

- avoid potential use-after-free after a CA is removed dynamically (thanks to

  Keenan Brock) (#1125342)

- add a "external-helper" property to CA objects

* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1

- add a 'refresh' option to the getcert command

- add a '-a' flag to the getcert command's 'refresh-ca' option

* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2

- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,

  conditionalized it so that it's ignored on newer releases, and make

  whether or not we call systemd-sysv-convert in triggers depend on that,

  too (#1104138)

* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1

- fix an inconsistency in how we parse cookie values returned by CA helpers,

  in that single-line values would lose the end-of-line after a daemon

  restart, but not before

- handle timeout values and exit status values when calling CA helpers

  in non-SUBMIT, non-POLL modes (#1118468)

- rework how we save CA certificates so that we save CA certificates associated

  with end-entity certificates when we save that end-entity certificate, which

  requires running all of the involved pre- and post-save commands

- drop package Requires: on systemd-sysv (#1104138)

* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1

- avoid potential use-after-free and read overrun after a CA is added

  dynamically (thanks to Jan Cholasta)

* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1

- documentation updates

* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2

- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA

  when we detect certmonger versions prior to 0.58 being installed, to

  avoid cases where some older versions choke on CAs with nicknames that

  contain characters that can't legally be part of a D-Bus name (#948993)

* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1

- fix creation and packaging of the "local" CA's data directory

* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1

- read and cache whether or not we saw a noOCSPcheck extension in certificates

- documentation updates

* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1

- when generating keys using OpenSSL, if key generation fails, try

  again with the default key size, in case we're in FIPS mode

- documentation updates

* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1

- log the state in 'getcert status' verbose mode

* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1

- add a -w (wait) flag to the getcert's request/resubmit/start-tracking

  commands, and add a non-waiting status command

* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1

- make the trust settings we apply to CA-supplied certificates while

  saving them to NSS databases run-time configurable

- fix compiling against EL5-era OpenSSL

- when saving CA certificates we pull from an IPA server, nickname

  it using the realm name with " IPA CA" appended rather than just

  naming it "IPA CA"

- fix the local signer so that when it issues itself a new certificate,

  it uses the same subject name

- add a -w flag to getcert's request, resubmit, and start-tracking

  commands, telling it to wait until either the certificate is issued,

  we get to a state where we know that we won't be able to get one, or

  we are waiting for a CA

* Mon Jun  9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1

- add the "local" signer, a local toy CA that signs anything you'll

  ask it to sign

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri Jun  6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1

- fix self-test errors that we trigger with new OpenSSL

- fix a build error that would sometimes happen when we're told to

  build PIE binaries

- quiet a compile warning

* Thu Jun  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1

- add some self-tests