diff --git a/SOURCES/0013-Add-service-check-dependencies.patch b/SOURCES/0013-Add-service-check-dependencies.patch new file mode 100644 index 0000000..f79ec4a --- /dev/null +++ b/SOURCES/0013-Add-service-check-dependencies.patch @@ -0,0 +1,71 @@ +From 235198b41a0932a7a190124fff5f8c1afa5d6679 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 5 May 2021 15:35:19 -0400 +Subject: [PATCH] Add service check dependencies + +Since 389-ds is the heart of IPA there may not be a point in checking +all dependent services. ipa-dnskeysyncd in particular doesn't like +when it can't connect and tries to restart itself multiple times. + +Note that this currently works because the services are sorted +alphabetically and dirsrv appears near the top. Re-ordering may be +necessary in the future. + +I'm choosing not to add dirsrv to the other services because they +return cleanly if it is not available. + +https://bugzilla.redhat.com/show_bug.cgi?id=1776687 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/core.py | 20 ++++++++++++++++++++ + src/ipahealthcheck/meta/services.py | 2 ++ + 2 files changed, 22 insertions(+) + +diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py +index a4af690..eaa2d9c 100644 +--- a/src/ipahealthcheck/core/core.py ++++ b/src/ipahealthcheck/core/core.py +@@ -81,6 +81,26 @@ def run_service_plugins(plugins, source, check): + if not isinstance(plugin, ServiceCheck): + continue + ++ # Try to save some time to not check dependent services if the ++ # parent is down. ++ if not set(plugin.requires).issubset(available): ++ # A required service is not available. Either it hasn't been ++ # checked yet or it isn't running. If not running break. ++ running = True ++ for result in results.results: ++ if result.check in plugin.requires: ++ # if not in available but in results the service failed ++ running = False ++ break ++ if not running: ++ logger.debug( ++ 'Skipping %s:%s because %s service(s) not running', ++ plugin.__class__.__module__, ++ plugin.__class__.__name__, ++ ', '.join(set(plugin.requires) - set(available)) ++ ) ++ continue ++ + logger.debug('Calling check %s', plugin) + for result in plugin.check(): + # always run the service checks so dependencies work +diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py +index a987108..5d80728 100644 +--- a/src/ipahealthcheck/meta/services.py ++++ b/src/ipahealthcheck/meta/services.py +@@ -92,6 +92,8 @@ class ipa_dnskeysyncd(IPAServiceCheck): + def check(self): + self.service_name = 'ipa-dnskeysyncd' + ++ requires = ('dirsrv',) ++ + if not bindinstance.named_conf_exists(): + return () + +-- +2.31.1 + diff --git a/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch new file mode 100644 index 0000000..3bc4afe --- /dev/null +++ b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch @@ -0,0 +1,82 @@ +From eb377fed539e44194fb1ad822c0d4c6e9ea38d03 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 11 May 2021 13:26:00 -0400 +Subject: [PATCH] Filter out the pki healthcheck sources if IPA CA is not + installed + +The pki checks spew the error "Invalid PKI instance: pki-tomcat" so +we need to suppress them in the IPA CA-less installation case. + +So if the IPA CA is not configured then don't register the +pki sources. + +A side-effect is that to user the sources will not be listed at +all in this case. + +This should not affect pki-healthcheck and it will continue to +return errors in the unconfigured case. + +https://github.com/freeipa/freeipa-healthcheck/issues/201 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/core.py | 13 +++++++++++++ + src/ipahealthcheck/ipa/plugin.py | 4 ++++ + 2 files changed, 17 insertions(+) + +diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py +index eaa2d9c..a6b4fe8 100644 +--- a/src/ipahealthcheck/core/core.py ++++ b/src/ipahealthcheck/core/core.py +@@ -281,6 +281,13 @@ class RunChecks: + if rval is not None: + return rval + ++ # If we have IPA configured without a CA then we want to skip ++ # the pkihealthcheck plugins otherwise they will generated a ++ # lot of false positives. The IPA plugins are loaded first so ++ # which should set ca_configured in its registry to True or ++ # False. We will skip the pkihealthcheck plugins only if ++ # ca_configured is False which means that it was set by IPA. ++ ca_configured = False + for name, registry in find_registries(self.entry_points).items(): + try: + registry.initialize(framework, config, options) +@@ -292,6 +299,12 @@ class RunChecks: + except Exception as e: + logger.error("Unable to initialize %s: %s" % (name, e)) + continue ++ if hasattr(registry, 'ca_configured'): ++ ca_configured = registry.ca_configured ++ for name, registry in find_registries(self.entry_points).items(): ++ if 'pkihealthcheck' in name and ca_configured is False: ++ logger.debug('IPA CA is not configured, skipping %s', name) ++ continue + for plugin in find_plugins(name, registry): + plugins.append(plugin) + +diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py +index 67d93e5..debb1bb 100644 +--- a/src/ipahealthcheck/ipa/plugin.py ++++ b/src/ipahealthcheck/ipa/plugin.py +@@ -35,6 +35,7 @@ class IPARegistry(Registry): + super(IPARegistry, self).__init__() + self.trust_agent = False + self.trust_controller = False ++ self.ca_configured = False + + def initialize(self, framework, config, options=None): + super(IPARegistry, self).initialize(framework, config) +@@ -58,6 +59,9 @@ class IPARegistry(Registry): + logging.debug('Failed to connect to LDAP: %s', e) + return + ++ ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host) ++ self.ca_configured = ca.is_configured() ++ + # This package is pulled in when the trust package is installed + # and is required to lookup trust users. If this is not installed + # then it can be inferred that trust is not enabled. +-- +2.31.1 + diff --git a/SOURCES/0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch b/SOURCES/0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch new file mode 100644 index 0000000..3bec151 --- /dev/null +++ b/SOURCES/0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch @@ -0,0 +1,117 @@ +From d59a031264c5b30ce2686d2c2bd6d756b05ebcc8 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 7 Oct 2021 18:02:30 -0400 +Subject: [PATCH] Work with existing resolve_rrsets and newer + resolve_rrsets_nss + +Up to freeipa 4.8.9 resolve_rrsets is used to look up the +ipa-ca values. After that, and in master, resovle_rrsets_nss +is used instead. Handle both in the DNS mock testing. +--- + tests/test_ipa_dns.py | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/tests/test_ipa_dns.py b/tests/test_ipa_dns.py +index b6a9610..91b15c2 100644 +--- a/tests/test_ipa_dns.py ++++ b/tests/test_ipa_dns.py +@@ -27,6 +27,15 @@ from ipaserver.dns_data_management import ( + IPA_DEFAULT_ADTRUST_SRV_REC + ) + ++try: ++ # pylint: disable=unused-import ++ from ipaserver.install.installutils import resolve_rrsets_nss # noqa: F401 ++ # pylint: enable=unused-import ++except ImportError: ++ resolve_rrsets_import = 'ipaserver.dns_data_management.resolve_rrsets' ++else: ++ resolve_rrsets_import = 'ipaserver.install.installutils.resolve_rrsets_nss' ++ + + def add_srv_records(qname, port_map, priority=0, weight=100): + rdlist = [] +@@ -182,7 +191,7 @@ class TestDNSSystemRecords(BaseTest): + 2. fake_query() overrides dns.resolver.query to simulate + A, AAAA and TXT record lookups. + """ +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_single(self, mock_query, mock_query_srv, mock_rrset): +@@ -217,7 +226,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.source == 'ipahealthcheck.ipa.idns' + assert result.check == 'IPADNSSystemRecordsCheck' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_two(self, mock_query, mock_query_srv, mock_rrset): +@@ -265,7 +274,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.source == 'ipahealthcheck.ipa.idns' + assert result.check == 'IPADNSSystemRecordsCheck' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_three(self, mock_query, mock_query_srv, mock_rrset): +@@ -323,7 +332,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.source == 'ipahealthcheck.ipa.idns' + assert result.check == 'IPADNSSystemRecordsCheck' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_three_mixed(self, mock_query, mock_query_srv, +@@ -379,7 +388,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.result == constants.SUCCESS + assert result.source == 'ipahealthcheck.ipa.idns' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_missing_server(self, mock_query, mock_query_srv, +@@ -445,7 +454,7 @@ class TestDNSSystemRecords(BaseTest): + for result in warn: + assert result.kw.get('msg') == 'Expected SRV record missing' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_missing_ipa_ca(self, mock_query, mock_query_srv, +@@ -516,7 +525,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.kw.get('count') == 2 + assert result.kw.get('expected') == 3 + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_extra_srv(self, mock_query, mock_query_srv, +@@ -586,7 +595,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.kw.get('msg') == \ + 'Unexpected SRV entry in DNS' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_bad_realm(self, mock_query, mock_query_srv, +@@ -626,7 +635,7 @@ class TestDNSSystemRecords(BaseTest): + assert result.kw.get('msg') == 'expected realm missing' + assert result.kw.get('key') == '\"FAKE_REALM\"' + +- @patch('ipaserver.dns_data_management.resolve_rrsets') ++ @patch(resolve_rrsets_import) + @patch('ipapython.dnsutil.query_srv') + @patch('dns.resolver.query') + def test_dnsrecords_one_with_ad(self, mock_query, mock_query_srv, +-- +2.27.0 + diff --git a/SOURCES/0016-tests-Generate-a-proper-not-valid-after-field.patch b/SOURCES/0016-tests-Generate-a-proper-not-valid-after-field.patch new file mode 100644 index 0000000..8d00073 --- /dev/null +++ b/SOURCES/0016-tests-Generate-a-proper-not-valid-after-field.patch @@ -0,0 +1,96 @@ +From 90f0b7c16c68d1dd876fc88b56b58c04bc565230 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Fri, 6 Nov 2020 15:18:33 +0300 +Subject: [PATCH] tests: Generate a proper `not-valid-after` field + +Some tests assume that the mocked certificate will be valid in N +days from now(). There was a hardcoded `not-valid-after` value +which pointed to 20201205214850Z. So, from Nov 06 2020 the assertion +20201205214850Z - now() < cert_expiration_days(30days) fails. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/159 +Signed-off-by: Stanislav Levin +--- + tests/mock_certmonger.py | 18 ++++++++++++++++-- + tests/test_ipa_expiration.py | 8 ++++++-- + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/tests/mock_certmonger.py b/tests/mock_certmonger.py +index ab53620..8fa4d36 100644 +--- a/tests/mock_certmonger.py ++++ b/tests/mock_certmonger.py +@@ -3,6 +3,7 @@ + # + + import copy ++from datetime import datetime, timedelta, timezone + + from ipaplatform.paths import paths + +@@ -10,6 +11,8 @@ from ipaplatform.paths import paths + # distinct from the value from the overrident get_defaults() method. + template = paths.CERTMONGER_COMMAND_TEMPLATE + ++CERT_EXPIRATION_DAYS = 30 ++ + pristine_cm_requests = [ + { + 'nickname': '1234', +@@ -20,7 +23,11 @@ pristine_cm_requests = [ + 'cert-storage': 'FILE', + 'cert-presave-command': template % 'renew_ra_cert_pre', + 'cert-postsave-command': template % 'renew_ra_cert', +- 'not-valid-after': 1024, ++ 'not-valid-after': ( ++ int( ++ datetime(1970, 1, 1, 0, 17, 4, tzinfo=timezone.utc).timestamp() ++ ) ++ ), + }, + { + 'nickname': '5678', +@@ -30,7 +37,14 @@ pristine_cm_requests = [ + 'template_profile': 'caIPAserviceCert', + 'cert-storage': 'FILE', + 'cert-postsave-command': template % 'restart_httpd', +- 'not-valid-after': 1607204930, ++ 'not-valid-after': ( ++ int( ++ ( ++ datetime.now(timezone.utc) + ++ timedelta(days=CERT_EXPIRATION_DAYS + 1) ++ ).timestamp() ++ ) ++ ), + }, + ] + +diff --git a/tests/test_ipa_expiration.py b/tests/test_ipa_expiration.py +index ff3564b..fb7105b 100644 +--- a/tests/test_ipa_expiration.py ++++ b/tests/test_ipa_expiration.py +@@ -11,7 +11,11 @@ from ipahealthcheck.ipa.certs import IPACertmongerExpirationCheck + from ipahealthcheck.ipa.certs import IPACAChainExpirationCheck + from unittest.mock import Mock, patch + from mock_certmonger import create_mock_dbus, _certmonger +-from mock_certmonger import get_expected_requests, set_requests ++from mock_certmonger import ( ++ get_expected_requests, ++ set_requests, ++ CERT_EXPIRATION_DAYS, ++) + + from datetime import datetime, timedelta, timezone + +@@ -67,7 +71,7 @@ class TestExpiration(BaseTest): + registry.initialize(framework, config.Config) + f = IPACertmongerExpirationCheck(registry) + +- f.config.cert_expiration_days = '30' ++ f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS) + self.results = capture_results(f) + + assert len(self.results) == 2 +-- +2.31.1 + diff --git a/SOURCES/0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch b/SOURCES/0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch new file mode 100644 index 0000000..3ada438 --- /dev/null +++ b/SOURCES/0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch @@ -0,0 +1,25 @@ +From bfcf6c0ebe7522cdc7e0c4e3aee695752ea3f489 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 7 Oct 2021 18:14:03 -0400 +Subject: [PATCH] Fix the number of expected results in the fix file test + +--- + tests/test_core_files.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_core_files.py b/tests/test_core_files.py +index a4f25ac..8257f40 100644 +--- a/tests/test_core_files.py ++++ b/tests/test_core_files.py +@@ -118,7 +118,7 @@ def test_files_not_found(mock_exists): + + for type in ('mode', 'group', 'owner'): + my_results = get_results(results, type) +- assert len(my_results.results) == 4 ++ assert len(my_results.results) == 2 + for result in my_results.results: + assert result.result == constants.SUCCESS + assert result.kw.get('msg') == 'File does not exist' +-- +2.27.0 + diff --git a/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch b/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch new file mode 100644 index 0000000..8947d73 --- /dev/null +++ b/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch @@ -0,0 +1,54 @@ +From a63d5ac05157e689e99494661240d43d131c0e91 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 11 May 2021 13:19:41 -0400 +Subject: [PATCH] Don't collect the CRLManager role if the CA is not configured + +This was raising a false positive in the IPA CA-less case. + +https://github.com/freeipa/freeipa-healthcheck/issues/201 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/ipa/roles.py | 2 ++ + tests/test_ipa_roles.py | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/ipahealthcheck/ipa/roles.py b/src/ipahealthcheck/ipa/roles.py +index 0ff2269..aac7b80 100644 +--- a/src/ipahealthcheck/ipa/roles.py ++++ b/src/ipahealthcheck/ipa/roles.py +@@ -25,6 +25,8 @@ class IPACRLManagerCheck(IPAPlugin): + """ + @duration + def check(self): ++ if not self.ca.is_configured(): ++ return + try: + enabled = self.ca.is_crlgen_enabled() + except AttributeError: +diff --git a/tests/test_ipa_roles.py b/tests/test_ipa_roles.py +index 21c0069..7c4a2d1 100644 +--- a/tests/test_ipa_roles.py ++++ b/tests/test_ipa_roles.py +@@ -48,6 +48,18 @@ class TestCRLManagerRole(BaseTest): + assert result.check == 'IPACRLManagerCheck' + assert result.kw.get('crlgen_enabled') is True + ++ @patch('ipaserver.install.cainstance.CAInstance') ++ def test_crlmanager_no_ca(self, mock_ca): ++ """There should be no CRLManagerCheck without a CA""" ++ mock_ca.return_value = CAInstance(False) ++ framework = object() ++ registry.initialize(framework, config.Config) ++ f = IPACRLManagerCheck(registry) ++ ++ self.results = capture_results(f) ++ ++ assert len(self.results) == 0 ++ + + class TestRenewalMaster(BaseTest): + def test_renewal_master_not_set(self): +-- +2.31.1 + diff --git a/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch b/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch new file mode 100644 index 0000000..df29ffb --- /dev/null +++ b/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch @@ -0,0 +1,71 @@ +From 62c14dbff5a947b50194df197de9f7052597ffb4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 17 Feb 2022 08:56:38 -0500 +Subject: [PATCH] Don't depend on IPA status when suppressing pki checks + +The pki healthchecks are noisy if a CA is not configured. We +want to suppresse these in IPA so don't make the checks visible +if a CA is not configured. + +So this means we need to be able to run in these conditions: + +1. IPA is configured with a CA: the pki checks are run +2. IPA is configured without a CA: the pki checks are not run +3. IPA is not configured: the pki checks are run + +Which basically equates to three states: True, False, None + +This was done originally with the ca_configured variable set to +None. Using some inside knowledge the registries are loaded which +will set ca_configured to True or False in the IPA registry. +Using that we can determine if the pki checks should be available. +Unfortunately I changed the initialization to False so it always +assumes that IPA is installed. ca_configured will be False for the +case of IPA not installed instead of None so we can't handle that +last state. + +So initialize ca_configured to None so we can satisfy all three +states. + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/core.py | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py +index a6b4fe8..19f7818 100644 +--- a/src/ipahealthcheck/core/core.py ++++ b/src/ipahealthcheck/core/core.py +@@ -281,13 +281,23 @@ class RunChecks: + if rval is not None: + return rval + ++ # The pki checks are noisy if a CA is not configured so we ++ # want to suppress that for IPA. ++ # ++ # There are 3 possible states: ++ # 1. IPA is configured with a CA ++ # 2. IPA is configured without a CA ++ # 3. IPA is not configured ++ # + # If we have IPA configured without a CA then we want to skip +- # the pkihealthcheck plugins otherwise they will generated a +- # lot of false positives. The IPA plugins are loaded first so +- # which should set ca_configured in its registry to True or +- # False. We will skip the pkihealthcheck plugins only if +- # ca_configured is False which means that it was set by IPA. +- ca_configured = False ++ # the pkihealthcheck plugins ++ # ++ # The IPA registry will set ca_configured in its registry to True ++ # or False. We will skip the pkihealthcheck plugins only if ++ # ca_configured is False which means that it was set by IPA. So ++ # we initialize ca_configured to None so that the pki checks ++ # will always be executed with pki-healthcheck. ++ ca_configured = None + for name, registry in find_registries(self.entry_points).items(): + try: + registry.initialize(framework, config, options) +-- +2.31.1 + diff --git a/SPECS/ipa-healthcheck.spec b/SPECS/ipa-healthcheck.spec index 61b0817..baa4912 100644 --- a/SPECS/ipa-healthcheck.spec +++ b/SPECS/ipa-healthcheck.spec @@ -8,7 +8,7 @@ Name: ipa-healthcheck Version: 0.7 -Release: 6%{?dist} +Release: 10%{?dist} Summary: Health check tool for IdM BuildArch: noarch License: GPLv3 @@ -27,6 +27,13 @@ Patch0009: 0009-Add-checks-to-detect-mismatch-of-certificates.patch Patch0010: 0010-Add-tests-for-certificate-mismatch-detection.patch Patch0011: 0011-Add-log-files-to-the-set-of-files-checked-for-owner-.patch Patch0012: 0012-Handle-files-that-don-t-exist-in-FileCheck.patch +Patch0013: 0013-Add-service-check-dependencies.patch +Patch0014: 0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch +Patch0015: 0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch +Patch0016: 0016-tests-Generate-a-proper-not-valid-after-field.patch +Patch0017: 0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch +Patch0018: 0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch +Patch0019: 0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch Requires: %{name}-core = %{version}-%{release} Requires: ipa-server @@ -130,6 +137,24 @@ install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{long %changelog +* Thu Feb 17 2022 Rob Crittenden - 0.7-10 +- Don't depend on IPA status when suppressing pki checks (#2055316) + +* Mon Jan 17 2022 Rob Crittenden - 0.7-9 +- Don't assume the entry_point order when determining if there is a + CA installed (#2041995) + +* Thu Jan 06 2022 Rob Crittenden - 0.7-8 +- Suppress the CRLManager check false positive when a CA is not + configured (#1983060) +- Fix the backport of the pki.server.healthcheck suppression (#1983060) + +* Thu Oct 07 2021 Rob Crittenden - 0.7-7 +- ipa-healthcheck command takes some extra time to complete when dirsrv + instance is stopped (#1776687) +- ipa-healthcheck complains about pki.server.healthcheck errors even CA + is not configured on the replica (#1983060) + * Mon Jun 14 2021 Rob Crittenden - 0.7-6 - Fix patch fuzz issues, apply add'l upstream for log files (#1780020)