diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-10-31 10:37:33 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-11-23 12:19:19 +0100 |
commit | d1574136754ff7e2190b0cf9a99b211c1bfededa (patch) | |
tree | 0fe8fbd1d7c1158b8bf3ddde88479850e5aaa176 | |
parent | 1d3ddeff54d91111d7f4f3042a22af76275ef361 (diff) | |
download | freeipa-d1574136754ff7e2190b0cf9a99b211c1bfededa.tar.gz freeipa-d1574136754ff7e2190b0cf9a99b211c1bfededa.tar.xz freeipa-d1574136754ff7e2190b0cf9a99b211c1bfededa.zip |
Use correct Dogtag configuration in get_pin and get_ca_certchain
Some install utilities used Dogtag configuration before Dogtag
was configured. Fix by passing the relevant dogtag_constants
where they're needed.
-rw-r--r-- | ipapython/certmonger.py | 6 | ||||
-rw-r--r-- | ipapython/dogtag.py | 6 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 24 |
3 files changed, 20 insertions, 16 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 22678dadb..f29050ea9 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -353,13 +353,15 @@ def remove_principal_from_cas(): fp.close() # Routines specific to renewing dogtag CA certificates -def get_pin(token): +def get_pin(token, dogtag_constants=None): """ Dogtag stores its NSS pin in a file formatted as token:PIN. The caller is expected to handle any exceptions raised. """ - with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f: + if dogtag_constants is None: + dogtag_constants = dogtag.configured_constants() + with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f: for line in f: (tok, pin) = line.split('=', 1) if token == tok: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 067a66afb..1b428d20e 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -149,15 +149,17 @@ def error_from_xml(doc, message_template): return errors.RemoteRetrieveError(reason=message_template % e) -def get_ca_certchain(ca_host=None): +def get_ca_certchain(ca_host=None, dogtag_constants=None): """ Retrieve the CA Certificate chain from the configured Dogtag server. """ if ca_host is None: ca_host = api.env.ca_host + if dogtag_constants is None: + dogtag_constants = configured_constants() chain = None conn = httplib.HTTPConnection(ca_host, - api.env.ca_install_port or configured_constants().UNSECURE_PORT) + api.env.ca_install_port or dogtag_constants.UNSECURE_PORT) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 9b32623c2..2e4375b84 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1091,7 +1091,8 @@ class CAInstance(service.Service): def __get_ca_chain(self): try: - return dogtag.get_ca_certchain(ca_host=self.fqdn) + return dogtag.get_ca_certchain(ca_host=self.fqdn, + dogtag_constants=self.dogtag_constants) except Exception, e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) @@ -1387,11 +1388,16 @@ class CAInstance(service.Service): with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd: fd.write(template) - def track_servercert(self): + def __get_ca_pin(self): try: - pin = certmonger.get_pin('internal') + return certmonger.get_pin('internal', + dogtag_constants=self.dogtag_constants) except IOError, e: - raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) + raise RuntimeError( + 'Unable to determine PIN for CA instance: %s' % str(e)) + + def track_servercert(self): + pin = self.__get_ca_pin() certmonger.dogtag_start_tracking( 'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, self.dogtag_constants.ALIAS_DIR, @@ -1403,10 +1409,7 @@ class CAInstance(service.Service): ipaservices.knownservices.messagebus.start() cmonger.start() - try: - pin = certmonger.get_pin('internal') - except IOError, e: - raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) + pin = self.__get_ca_pin() # Server-Cert cert-pki-ca is renewed per-server for nickname in ['auditSigningCert cert-pki-ca', @@ -1449,10 +1452,7 @@ class CAInstance(service.Service): certificate is available. If it is then it gets installed. """ - try: - pin = certmonger.get_pin('internal') - except IOError, e: - raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) + pin = self.__get_ca_pin() # Server-Cert cert-pki-ca is renewed per-server for nickname in ['auditSigningCert cert-pki-ca', |