summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-08-01 15:16:24 -0400
committerRob Crittenden <rcritten@redhat.com>2011-08-03 20:38:07 -0400
commit8495af1a50faca496fe2ce425b9b3a7f21ba1ea6 (patch)
treee83ca5078296304004180e54c0845e3b7ff1e637
parenteb0454d45c68d455fff29816caf73b23eeb04dcd (diff)
downloadfreeipa-8495af1a50faca496fe2ce425b9b3a7f21ba1ea6.tar.gz
freeipa-8495af1a50faca496fe2ce425b9b3a7f21ba1ea6.tar.xz
freeipa-8495af1a50faca496fe2ce425b9b3a7f21ba1ea6.zip
Re-arrange CA configuration code to reduce the number of restarts.
Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
-rwxr-xr-xinstall/tools/ipa-ca-install3
-rwxr-xr-xinstall/tools/ipa-replica-install3
-rwxr-xr-xinstall/tools/ipa-server-install3
-rw-r--r--ipaserver/install/cainstance.py48
-rw-r--r--ipaserver/install/service.py5
5 files changed, 18 insertions, 44 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index e6adae057..7bbba4b14 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -144,9 +144,6 @@ def main():
cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
cs.add_cert_to_service()
- service.print_msg("Setting the certificate subject base")
- CA.set_subject_in_config(util.realm_to_suffix(config.realm_name))
-
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 6531421ab..f13b51eaf 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -433,9 +433,6 @@ def main():
CA.import_ra_cert(dir + "/ra.p12")
CA.fix_ra_perms()
service.restart("httpd")
- if config.setup_ca:
- service.print_msg("Setting the certificate subject base")
- CA.set_subject_in_config(util.realm_to_suffix(config.realm_name))
# The DS instance is created before the keytab, add the SSL cert we
# generated
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 564d8a88a..98941efe0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -900,9 +900,6 @@ def main():
ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
- if not options.selfsign:
- service.print_msg("Setting the certificate subject base")
- ca.set_subject_in_config(util.realm_to_suffix(realm_name))
# Apply any LDAP updates. Needs to be done after the configuration file
# is created
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d62f232cc..5c6c49e4b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -517,8 +517,8 @@ class CAInstance(service.Service):
self.step("creating certificate server user", self.__create_ca_user)
if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance)
- self.step("restarting certificate server", self.__restart_instance)
self.step("configuring certificate server instance", self.__configure_instance)
+ self.step("disabling nonces", self.__disable_nonce)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
@@ -527,20 +527,18 @@ class CAInstance(service.Service):
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
- if not self.clone:
- self.step("restarting certificate server", self.__restart_instance)
- self.step("requesting RA certificate from CA", self.__request_ra_certificate)
- self.step("issuing RA agent certificate", self.__issue_ra_cert)
- self.step("adding RA agent as a trusted user", self.__configure_ra)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("set up CRL publishing", self.__enable_crl_publish)
+ self.step("set certificate subject base", self.__set_subject_in_config)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
- # A clone will be restarted in ipa-replica-install
self.step("restarting certificate server", self.__restart_instance)
+ self.step("requesting RA certificate from CA", self.__request_ra_certificate)
+ self.step("issuing RA agent certificate", self.__issue_ra_cert)
+ self.step("adding RA agent as a trusted user", self.__configure_ra)
- self.start_creation("Configuring certificate server", 360)
+ self.start_creation("Configuring certificate server", 210)
def create_instance(self):
"""
@@ -686,34 +684,11 @@ class CAInstance(service.Service):
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
- # Turn off Nonces (again)
- if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
- raise RuntimeError("Disabling nonces failed")
- pent = pwd.getpwnam(PKI_USER)
- os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
# it a lousy name.
if ipautil.file_exists("/root/tmp-ca.p12"):
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
- try:
- # After configuration the service is running and configured
- # but must be restarted for configuration to take effect.
- # The service status in this case will be 4.
- self.__restart_instance()
- except ipautil.CalledProcessError, e:
- logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
- raise RuntimeError('Restarting CA after pkisilent configuration failed')
-
- # If the configuration was successful status should now be 0.
- # We don't call is_running() because we want the exit status for debugging.
- try:
- ipautil.run(["/sbin/service", self.service_name, "status", PKI_INSTANCE_NAME])
- except ipautil.CalledProcessError, e:
- logging.critical("ca instance configuration not successful after restart %s" % e)
- raise RuntimeError('CA configuration not successful after restart')
-
logging.debug("completed creating ca instance")
def __restart_instance(self):
@@ -724,6 +699,13 @@ class CAInstance(service.Service):
# TODO: roll back here?
logging.critical("Failed to restart the certificate server. See the installation log for details.")
+ def __disable_nonce(self):
+ # Turn off Nonces
+ if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+ raise RuntimeError("Disabling nonces failed")
+ pent = pwd.getpwnam(PKI_USER)
+ os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
(admin_fd, admin_name) = tempfile.mkstemp()
@@ -1060,13 +1042,11 @@ class CAInstance(service.Service):
ipautil.run(["/sbin/restorecon", publishdir])
- def set_subject_in_config(self, suffix):
+ def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
print "Updating subject_base in CA template failed"
- self.print_msg("restarting certificate server")
- self.__restart_instance()
def uninstall(self):
if self.is_configured():
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index efbb2c933..62db9baf5 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -258,7 +258,10 @@ class Service(object):
if est.tm_min > 0:
if est.tm_min > 1:
plural = 's'
- self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
+ if est.tm_sec > 0:
+ self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec))
+ else:
+ self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
else:
if est.tm_sec > 1:
plural = 's'