https://fedorahosted.org/freeipa/ticket/4569 -- David Kupka
From a1363fa49a35115cfa15d51d7ae5c298828efc37 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/restart_scripts/renew_ca_cert | 31 +++++----- install/tools/ipa-upgradeconfig | 15 +++-- ipaserver/install/cainstance.py | 108 ++++++++++++++++++---------------- 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2ad2038703a74fe3549708549091633b35695907..e14e699bf57c631238a342ba19a3a1d483574bbb 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -104,20 +104,23 @@ def main(): cfg_path, 'subsystem.select', '=') if config == 'New': syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg") - if x509.is_self_signed(cert, x509.DER): - installutils.set_directive( - cfg_path, 'hierarchy.select', 'Root', - quotes=False, separator='=') - installutils.set_directive( - cfg_path, 'subsystem.count', '1', - quotes=False, separator='=') - else: - installutils.set_directive( - cfg_path, 'hierarchy.select', 'Subordinate', - quotes=False, separator='=') - installutils.set_directive( - cfg_path, 'subsystem.count', '0', - quotes=False, separator='=') + with installutils.stopped_service( + configured_constants.SERVICE_NAME, + configured_constants.PKI_INSTANCE_NAME): + if x509.is_self_signed(cert, x509.DER): + installutils.set_directive( + cfg_path, 'hierarchy.select', 'Root', + quotes=False, separator='=') + installutils.set_directive( + cfg_path, 'subsystem.count', '1', + quotes=False, separator='=') + else: + installutils.set_directive( + cfg_path, 'hierarchy.select', 'Subordinate', + quotes=False, separator='=') + installutils.set_directive( + cfg_path, 'subsystem.count', '0', + quotes=False, separator='=') else: syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg") diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' + # update proxy configuration with stopped dogtag to prevent corruption + # of CS.cfg + with installutils.stopped_service( + configured_constants.SERVICE_NAME, + configured_constants.PKI_INSTANCE_NAME): + ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: @@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: - installutils.set_directive(caconfig.CS_CFG_PATH, - 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', - publishdir, quotes=False, separator='=') + with installutils.stopped_service(caconfig.SERVICE_NAME, + caconfig.PKI_INSTANCE_NAME): + installutils.set_directive(caconfig.CS_CFG_PATH, + 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', + publishdir, quotes=False, separator='=') except OSError, e: root_logger.error('Cannot update CA configuration file "%s": %s', caconfig.CS_CFG_PATH, e) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d96693efe64b5859901bb3da9da79ee0ec..2793b407a88f0b5b6592f79a7b6279d2fa41a787 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -828,15 +828,17 @@ class CAInstance(service.Service): root_logger.warning("Failed to backup CS.cfg: %s", e) def __disable_nonce(self): - # Turn off Nonces - update_result = installutils.update_file( - self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true', - 'ca.enableNonces=false') - if update_result != 0: - raise RuntimeError("Disabling nonces failed") - pent = pwd.getpwnam(PKI_USER) - os.chown(self.dogtag_constants.CS_CFG_PATH, - pent.pw_uid, pent.pw_gid) + with stopped_service(self.dogtag_constants.SERVICE_NAME, + self.dogtag_constants.PKI_INSTANCE_NAME): + # Turn off Nonces + update_result = installutils.update_file( + self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true', + 'ca.enableNonces=false') + if update_result != 0: + raise RuntimeError("Disabling nonces failed") + pent = pwd.getpwnam(PKI_USER) + os.chown(self.dogtag_constants.CS_CFG_PATH, + pent.pw_uid, pent.pw_gid) def enable_pkix(self): installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH, @@ -1267,48 +1269,50 @@ class CAInstance(service.Service): publishdir = self.prepare_crl_publish_dir() - # Enable file publishing, disable LDAP - installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=') + with stopped_service(self.dogtag_constants.SERVICE_NAME, + self.dogtag_constants.PKI_INSTANCE_NAME): + # Enable file publishing, disable LDAP + installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=') - # Create the file publisher, der only, not b64 - installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=') + # Create the file publisher, der only, not b64 + installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=') - # The publishing rule - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=') + # The publishing rule + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=') - # Now disable LDAP publishing - installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') + # Now disable LDAP publishing + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') - # If we are the initial master then we are the CRL generator, otherwise - # we point to that master for CRLs. - if not self.clone: - # These next two are defaults, but I want to be explicit that the - # initial master is the CRL generator. - installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=') - else: - installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') - installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') + # If we are the initial master then we are the CRL generator, otherwise + # we point to that master for CRLs. + if not self.clone: + # These next two are defaults, but I want to be explicit that the + # initial master is the CRL generator. + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=') + else: + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') def __set_subject_in_config(self): # dogtag ships with an IPA-specific profile that forces a subject @@ -1863,13 +1867,13 @@ def update_cert_config(nickname, cert, dogtag_constants=None): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} + try: + backup_config(dogtag_constants) + except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) + with stopped_service(dogtag_constants.SERVICE_NAME, instance_name=dogtag_constants.PKI_INSTANCE_NAME): - try: - backup_config(dogtag_constants) - except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) - installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, directives[nickname], base64.b64encode(cert), -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
