This patch fixes https://fedorahosted.org/freeipa/ticket/5506 and also
reorganizes the way CA installer updates IPA default.conf.
Maybe a simpler patch would suffice, but I had a need to improve things
a bit.
This one is for master branch only. IIRC the situation described in
#5506 does not occur in domain level 0, however the root cause
(incorrect forwarding of certmonger requests by CA-less replicas)
manifests when enrolling a client against CA-less replica and requesting
host certificate.
Should I open a separate ticket for that?
--
Martin^3 Babinsky
From c67a6c03a4f2ed82aea7e0da03c9e2270eea2d42 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
IPA config entries
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
---
ipaserver/install/ca.py | 16 ----------------
ipaserver/install/cainstance.py | 19 ++++++++++++++++++-
ipaserver/install/server/replicainstall.py | 7 +++++++
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index fcead1891583c2e495951fbeb733e6eec3b07ccf..1a51ebc8cf994eae70323ee0642bebd746080de2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -7,8 +7,6 @@ from __future__ import print_function
import sys
import os.path
-from six.moves.configparser import RawConfigParser
-
from ipaserver.install import cainstance, dsinstance, bindinstance
from ipapython import ipautil, certdb
from ipaplatform import services
@@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
if standalone:
ca.start('pki-tomcat')
- # Update config file
- try:
- parser = RawConfigParser()
- parser.read(paths.IPA_DEFAULT_CONF)
- parser.set('global', 'enable_ra', 'True')
- parser.set('global', 'ra_plugin', 'dogtag')
- parser.set('global', 'dogtag_version', '10')
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
- parser.write(f)
- except IOError as e:
- print("Failed to update /etc/ipa/default.conf")
- root_logger.error(str(e))
- sys.exit(1)
-
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 65f9e463d39ca1ecf4c42ca22620cf1f2de06880..2ca718a7b6799b7daf825918517a54852746a84f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,7 +41,7 @@ import shlex
import pipes
from six.moves import urllib
-from six.moves.configparser import ConfigParser
+from six.moves.configparser import ConfigParser, RawConfigParser
from ipalib import api
from ipalib import pkcs10, x509
@@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
+ self.step("updating IPA configuration", update_ipa_conf)
self.start_creation(runtime=210)
@@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
+ self.step("updating IPA configuration", update_ipa_conf)
self.step("Restart HTTP server to pick up changes",
self.__restart_http_instance)
@@ -1768,6 +1770,21 @@ def ensure_default_caacl():
api.Backend.ldap2.disconnect()
+def update_ipa_conf():
+ """
+ Update IPA configuration file to ensure that RA plugins are enabled and
+ that CA host points to localhost
+ """
+ parser = RawConfigParser()
+ parser.read(paths.IPA_DEFAULT_CONF)
+ parser.set('global', 'enable_ra', 'True')
+ parser.set('global', 'ra_plugin', 'dogtag')
+ parser.set('global', 'dogtag_version', '10')
+ parser.remove_option('global', 'ca_host')
+ with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+ parser.write(f)
+
+
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ec77ab21b1e4969bdcd8d9e588eed7b97e3a9079..d2b03431ee68c41b750fac33c3cf954d4bb5892e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -483,6 +483,9 @@ def install_check(installer):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
+
+ if not config.setup_ca:
+ fd.write("ca_host={0}\n".format(config.master_host_name))
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@@ -1174,6 +1177,10 @@ def promote(installer):
ipaconf.setOption('enable_ra', 'True'),
ipaconf.setOption('ra_plugin', 'dogtag'),
ipaconf.setOption('dogtag_version', '10')]
+
+ if not options.setup_ca:
+ gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
+
opts = [ipaconf.setSection('global', gopts)]
ipaconf.changeConf(target_fname, opts)
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
