Skip to content

certmgr 2.0.1
Compare
Choose a tag to compare
@ferringb ferringb released this 18 Jul 20:34
v2.0.1
db25a7c

Changes since 2.0.0 are thus:

  • Fix regression for spec's that have an IP as part of the hosts; for certmgr
    2.0.0 would regenerate the spec every interval invalidly. The code now
    properly validates that IP + DNS is the same.

  • PKI content on disk now has permissions verified; if the permissions no longer
    match the spec requires- due to OOB changes or the spec being changed while the
    daemon was down- certmgr will trigger a regeneration of that spec.

    If the permissions don't align with what the spec states, we have no way of
    knowing if the service consuming the PKI was able to access the content- thus
    our only option is to trigger a regeneration.

  • Certmgr no longer tolerates spec's that have non unique pathways for the CA, Cert,
    or Key files. This is broken client side configuration if 2 spec's specify a shared
    path (or if a spec internally specifies the same path for cert and CA).

    For loads, this is treated as broken configuration, and the startup failed. For
    reloads detected via spec mtime changing, if the new spec conflicts with any paths
    known to certmgr, that spec is rejected and the old is continued to be used.

Assets 24
Loading