diff --git a/.gitignore b/.gitignore
index f3ea5d2..0701480 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,3 +57,5 @@
 /freeipa-4.5.3.tar.gz.asc
 /freeipa-4.6.0.tar.gz
 /freeipa-4.6.0.tar.gz.asc
+/freeipa-4.6.1.tar.gz
+/freeipa-4.6.1.tar.gz.asc
diff --git a/1044.patch b/1044.patch
deleted file mode 100644
index b60944c..0000000
--- a/1044.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 8c242fd2cf2bbe14a4aae5d31d1f945901c72afb Mon Sep 17 00:00:00 2001
-From: Pavel Vomacka <pvomacka@redhat.com>
-Date: Wed, 6 Sep 2017 15:19:58 +0200
-Subject: [PATCH 1/2] WebUI: remove unused parameter from get_whoami_command
-
-The batch param is not used anywhere therefore we can remove it.
-
-https://pagure.io/freeipa/issue/7143
----
- install/ui/src/freeipa/ipa.js | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
-index 2538001c94..3920b8eb0a 100644
---- a/install/ui/src/freeipa/ipa.js
-+++ b/install/ui/src/freeipa/ipa.js
-@@ -191,7 +191,7 @@ var IPA = function () {
-             }
-         }));
- 
--        batch.add_command(that.get_whoami_command(true));
-+        batch.add_command(that.get_whoami_command());
- 
-         batch.add_command(rpc.command({
-             method: 'env',
-@@ -259,10 +259,8 @@ var IPA = function () {
-     /**
-      * Prepares `user-find --whoami` command
-      * @protected
--     * @param {boolean} batch - Specifies if it will be used as single command or
--     *                          in a batch.
-      */
--    that.get_whoami_command = function(batch) {
-+    that.get_whoami_command = function() {
-         return rpc.command({
-             method: 'whoami',
-             on_success: function(data, text_status, xhr) {
-
-From df34476d8bd7ac2de93588b4169e996605c85fe3 Mon Sep 17 00:00:00 2001
-From: Pavel Vomacka <pvomacka@redhat.com>
-Date: Wed, 6 Sep 2017 15:20:07 +0200
-Subject: [PATCH 2/2] WebUI: Fix calling undefined method during reset
- passwords
-
-When calling reset password the whoami command is not called in batch
-command, therefore the result is different then in calling
-during reset password operation. That needs to be handled to properly
-set entity_show method which needs to be called after to gather
-data about logged in entity.
-
-https://pagure.io/freeipa/issue/7143
----
- install/ui/src/freeipa/ipa.js | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
-index 3920b8eb0a..138ca031b8 100644
---- a/install/ui/src/freeipa/ipa.js
-+++ b/install/ui/src/freeipa/ipa.js
-@@ -264,18 +264,19 @@ var IPA = function () {
-         return rpc.command({
-             method: 'whoami',
-             on_success: function(data, text_status, xhr) {
--                that.whoami.metadata = data;
-+                that.whoami.metadata = data.result || data;
-+                var wa_data = that.whoami.metadata;
- 
-                 rpc.command({
--                    method: data.details || data.command,
--                    args: data.arguments,
-+                    method: wa_data.details || wa_data.command,
-+                    args: wa_data.arguments,
-                     options: function() {
--                        var options = data.options || [];
-+                        var options = wa_data.options || [];
-                         $.extend(options, {all: true});
-                         return options;
-                     }(),
-                     on_success: function(data, text_status, xhr) {
--                        that.whoami.data = false ? data.result[0] : data.result.result;
-+                        that.whoami.data = data.result.result;
-                         var entity = that.whoami.metadata.object;
- 
-                         if (entity === 'user') {
diff --git a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch b/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
deleted file mode 100644
index 677647a..0000000
--- a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 473ddbdb66e563d93a30ac51b1ac559adbd18190 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sep 13 2017 14:53:32 +0000
-Subject: dsinstance: Restore context after changing dse.ldif
-
-
-Fixes https://pagure.io/freeipa/issue/7150
-
-Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-
----
-
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index d823635..3eeb7f7 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -596,6 +596,7 @@ class DsInstance(service.Service):
-                 parser.parse()
-             new_dse_ldif.flush()
-         shutil.copy2(temp_filename, dse_filename)
-+        tasks.restore_context(dse_filename)
-         try:
-             os.remove(temp_filename)
-         except OSError as e:
-
diff --git a/ba4386599331cf81d222687d658f5ce54e923478.patch b/ba4386599331cf81d222687d658f5ce54e923478.patch
deleted file mode 100644
index 5960451..0000000
--- a/ba4386599331cf81d222687d658f5ce54e923478.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From ba4386599331cf81d222687d658f5ce54e923478 Mon Sep 17 00:00:00 2001
-From: Stanislav Laznicka <slaznick@redhat.com>
-Date: Sep 13 2017 10:41:36 +0000
-Subject: client: fix retrieving certs from HTTP
-
-
-We're applying bytes regex on the result of a command but were
-using decoded stdout instead of raw.
-
-https://pagure.io/freeipa/issue/7131
-
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-
----
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index e971aea..8d70519 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -1615,7 +1615,7 @@ def get_ca_certs_from_http(url, warn=True):
-         result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True)
-     except CalledProcessError:
-         raise errors.NoCertificateError(entry=url)
--    stdout = result.output
-+    stdout = result.raw_output
- 
-     try:
-         certs = x509.load_certificate_list(stdout)
-
diff --git a/freeipa.spec b/freeipa.spec
index d0fe758..497a896 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -39,8 +39,8 @@
 %global krb5_version 1.15.1-4
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.5-8
-# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
-%global samba_version 4.6.0-4
+# Require 4.7.0 which brings Python 3 bindings
+%global samba_version 4.7.0
 %global samba_build_version %{samba_version}
 %global selinux_policy_version 3.12.1-153
 %global slapi_nis_version 0.56.0-4
@@ -49,8 +49,8 @@
 %global krb5_version 1.15.1-7
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
-# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
-%global samba_version 2:4.6.0-4
+# Require 4.7.0 which brings Python 3 bindings
+%global samba_version 2:4.7.0
 %global samba_build_version 2:4.2.1
 %global selinux_policy_version 3.13.1-158.4
 %global slapi_nis_version 0.56.1
@@ -62,13 +62,13 @@
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
 
-%global VERSION 4.6.0
+%global VERSION 4.6.1
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        3%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -79,19 +79,6 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.as
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
-# Fix issue with password change in web UI:
-# https://github.com/freeipa/freeipa/pull/1044
-# https://bugzilla.redhat.com/show_bug.cgi?id=1488640
-Patch0002:      1044.patch
-# Restore context after changing dse.ldif in ipa-server-install
-# https://github.com/freeipa/freeipa/pull/1062
-# https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190
-Patch0003:      473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
-# Fix issue with CA cert retrieval via HTTP (kickstart client enrolment):
-# https://github.com/freeipa/freeipa/pull/1071
-# https://pagure.io/freeipa/c/ba4386599331cf81d222687d658f5ce54e923478
-# https://bugzilla.redhat.com/show_bug.cgi?id=1491056
-Patch0004:      ba4386599331cf81d222687d658f5ce54e923478.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -186,7 +173,7 @@ BuildRequires:  python-gssapi >= 1.2.0-5
 %if 0%{?fedora} >= 26
 BuildRequires:  python2-pylint
 %else
-BuildRequires:  pylint >= 1.6
+BuildRequires:  pylint >= 1.7
 %endif
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python2-polib
@@ -220,12 +207,11 @@ BuildRequires:  python2-jinja2
 BuildRequires:  python2-augeas
 
 %if 0%{?with_python3}
-# FIXME: this depedency is missing - server will not work
-#BuildRequires:  python3-samba
+BuildRequires:  python3-samba
 # 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
 BuildRequires:  python3-cryptography >= 1.6
 BuildRequires:  python3-gssapi >= 1.2.0
-BuildRequires:  python3-pylint >= 1.6
+BuildRequires:  python3-pylint >= 1.7
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python3-polib
 BuildRequires:  python3-libipa_hbac
@@ -387,7 +373,7 @@ Requires: python-ldap >= 2.4.15
 Requires: python2-lxml
 Requires: python-gssapi >= 1.2.0-5
 Requires: python2-sssdconfig
-Requires: python2-pyasn1
+Requires: python2-pyasn1 >= 0.3.2-2
 Requires: dbus-python
 Requires: python2-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
@@ -420,7 +406,7 @@ Requires(pre): python3-pyldap >= 2.4.35.1-2
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
 Requires: python3-sssdconfig
-Requires: python3-pyasn1
+Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
@@ -494,12 +480,21 @@ Summary: Virtual package to install packages required for Active Directory trust
 Group: System Environment/Base
 Requires: %{name}-server = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
-Requires: samba-python
+
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
-Requires: python-libsss_nss_idmap
-Requires: python-sss
+
+%if 0%{?with_python3}
+Requires: python3-samba
+Requires: python3-libsss_nss_idmap
+Requires: python3-sss
+%else
+Requires: python2-samba
+Requires: python2-libsss_nss_idmap
+Requires: python2-sss
+%endif  # with_python3
+
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
 # IPA AD trusts cannot be used at the same time with the locator plugin
@@ -699,8 +694,8 @@ Requires: python2-cryptography >= 1.6
 Requires: python-netaddr >= %{python_netaddr_version}
 Requires: python2-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
-Requires: python2-pyasn1
-Requires: python2-pyasn1-modules
+Requires: python2-pyasn1 >= 0.3.2-2
+Requires: python2-pyasn1-modules >= 0.3.2-2
 Requires: python2-dateutil
 Requires: python2-yubico >= 1.2.3
 Requires: python2-sss-murmur
@@ -748,8 +743,8 @@ Requires: python3-cryptography >= 1.6
 Requires: python3-netaddr >= %{python_netaddr_version}
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
-Requires: python3-pyasn1
-Requires: python3-pyasn1-modules
+Requires: python3-pyasn1 >= 0.3.2-2
+Requires: python3-pyasn1-modules >= 0.3.2-2
 Requires: python3-dateutil
 # fixes searching for yubikeys in python3
 Requires: python3-yubico >= 1.3.2-7
@@ -1104,9 +1099,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
 
@@ -1444,10 +1437,7 @@ fi
 %{_usr}/share/ipa/profiles/README
 %{_usr}/share/ipa/profiles/*.cfg
 %dir %{_usr}/share/ipa/html
-%{_usr}/share/ipa/html/ffconfig.js
-%{_usr}/share/ipa/html/ffconfig_page.js
 %{_usr}/share/ipa/html/ssbrowser.html
-%{_usr}/share/ipa/html/browserconfig.html
 %{_usr}/share/ipa/html/unauthorized.html
 %dir %{_usr}/share/ipa/migration
 %{_usr}/share/ipa/migration/error.html
@@ -1479,11 +1469,8 @@ fi
 %{_usr}/share/ipa/wsgi/plugins.py*
 %dir %{_sysconfdir}/ipa
 %dir %{_sysconfdir}/ipa/html
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
 %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
-%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
@@ -1494,9 +1481,7 @@ fi
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
 %dir %{_usr}/share/ipa/updates/
@@ -1504,7 +1489,7 @@ fi
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
-%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
+%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
@@ -1726,6 +1711,10 @@ fi
 %endif # with_ipatests
 
 %changelog
+* Fri Sep 22 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-1
+- Fixes #1491053  Firefox reports insecure TLS configuration when visiting
+  FreeIPA web UI after standard server deployment
+
 * Wed Sep 13 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-3
 - Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context
 - Fixes #1491056 FreeIPA enrolment via kickstart fails
diff --git a/sources b/sources
index 12d99c5..5f513d1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.6.0.tar.gz) = 4719fb821b74b76b8159cf9866c386a265e7d821cec70f008c9cf4ad9df9ee9362ca058a59a323e1151660a29938c9c6eb928b922a355bdc49c8b72f33a5dd8f
-SHA512 (freeipa-4.6.0.tar.gz.asc) = 4bf540a36a8c667d1b130bfe6de54eed8d7fdc860089762c91f823af878af1e53acd2032f6fd1518c76e56ac39ca740875c85e81cf4bd41919498ce15333b26e
+SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4
+SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245