Hi all, The attached patch fixes the OCSP URI in the Dogtag CA and system certificates (https://fedorahosted.org/freeipa/ticket/5956). It depends on a patch[1] for Dogtag which is expected to be released in v10.3.4. In the meantime, you can test with the build of v10.3.4 from my COPR[2].
[1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ Cheers, Fraser
From f1a08357deeeb0012eb1a00f13934f8a0522fc36 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 27 Jun 2016 15:49:30 +1000 Subject: [PATCH] Set default OCSP URI on install and upgrade Dogtag has been updated to support a default OCSP URI when the profile includes AuthInfoAccess with URI method but does not specify the URI (instead of constructing one based on Dogtag's hostname and port). Add the pkispawn config to ensure that the OCSP URI is set before issuing CA and system certificates, and add the config to existing CA instances on upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/5956 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 3 +++ ipaserver/install/server/upgrade.py | 23 +++++++++++++++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c86fc3157920f77e66f38241692c3cf45c637ebb..a4d3c067c6c2c0cf911476d950257170fa74e059 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -94,7 +94,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3 +BuildRequires: pki-base >= 10.3.4 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -155,8 +155,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.56.0 -Requires: pki-ca >= 10.3.3 -Requires: pki-kra >= 10.3.3 +Requires: pki-ca >= 10.3.4 +Requires: pki-kra >= 10.3.4 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..a575f02677112258b8cf5aed56b33898bb5fd8c0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -463,6 +463,9 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) config.set("CA", "pki_profiles_in_ldap", "True") + config.set("CA", "pki_default_ocsp_uri", + "http://{}.{}/ca/ocsp".format( + IPA_CA_RECORD, ipautil.format_netloc(api.env.domain))) # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index b4b6243ac19c40f7216a898607d28db52822170f..3955a8cb9faf8e5c3350fc3912ea9f05a4b97719 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -356,6 +356,28 @@ def ca_ensure_lightweight_cas_container(ca): return cainstance.ensure_lightweight_cas_container() +def ca_add_default_ocsp_uri(ca): + root_logger.info('[Adding default OCSP URI configuration]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + value = installutils.get_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + separator='=') + if value: + return False # already set; restart not needed + + installutils.set_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + 'http://ipa-ca.%s/ca/ocsp' % ipautil.format_netloc(api.env.domain), + quotes=False, + separator='=') + return True # restart needed + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1725,6 +1747,7 @@ def upgrade_configuration(): ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), + ca_add_default_ocsp_uri(ca), ]) if ca_restart: -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code