diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-08-16 17:55:07 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-19 10:50:40 -0400 |
commit | 3e15e6ed6dd0fa6f5606fd77b5104fd067798cde (patch) | |
tree | f094c8b5e7e70c30eccc81b2d9ceb06b25d34574 | |
parent | e466bed5453302ca41e6ab7e85fddbdd35548d2a (diff) | |
download | freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.gz freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.xz freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.zip |
Break out install into more steps, add -key_algorithm to pkisilent
Installing dogtag is quite slow and it isn't always clear that things
are working. This breaks out some restart calls into separate steps
to show some amount of progress. There are still some steps that take
more than a minute (pkicreate and pkisilent).
Add new argument to pkisilent, -key_algorithm
Update a bunch of minimum required versions in the spec file.
tickets 139 (time) and 144 (key_algorithm)
-rw-r--r-- | ipa.spec.in | 13 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 29 |
2 files changed, 19 insertions, 23 deletions
diff --git a/ipa.spec.in b/ipa.spec.in index 74b690e81..3c93aeab1 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -97,7 +97,8 @@ Requires: selinux-policy %endif Requires(post): selinux-policy-base Requires: slapi-nis >= 0.15 -Requires: pki-ca +Requires: pki-ca >= 1.3.6 +Requires: pki-silent >= 1.3.4 Conflicts: mod_ssl %description server @@ -139,8 +140,8 @@ Requires: nss_ldap Requires: wget Requires: xmlrpc-c Requires: libcurl -Requires: sssd >= 1.1.1 -Requires: certmonger +Requires: sssd >= 1.2.1 +Requires: certmonger >= 0.26 %description client IPA is an integrated solution to provide centrally managed Identity (machine, @@ -501,6 +502,12 @@ fi %endif %changelog +* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27 +- Set minimum version of certmonger to 0.26 (to pck up #621670) +- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) +- Set minimum version of pki-ca to 1.3.6 +- Set minimum version of sssd to 1.2.1 + * Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26 - Add BuildRequires for authconfig diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 035d6315f..6babd440f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -434,10 +434,12 @@ class CAInstance(service.Service): self.step("creating certificate server user", self.__create_ca_user) if not ipautil.dir_exists("/var/lib/pki-ca"): self.step("creating pki-ca instance", self.create_instance) + self.step("restarting certificate server", self.__restart_instance) self.step("configuring certificate server instance", self.__configure_instance) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: + self.step("restarting certificate server", self.__restart_instance) if not self.clone: self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) self.step("creating RA agent certificate database", self.__create_ra_agent_db) @@ -497,19 +499,6 @@ class CAInstance(service.Service): self.backup_state("user_exists", user_exists) def __configure_instance(self): - # Turn off Nonces - if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: - raise RuntimeError("Disabling nonces failed") - pent = pwd.getpwnam(self.pki_user) - os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) - - logging.debug("restarting ca instance") - try: - self.restart() - logging.debug("done restarting ca instance") - except ipautil.CalledProcessError, e: - print "failed to restart ca instance", e - preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME) try: @@ -535,6 +524,7 @@ class CAInstance(service.Service): "-db_name", "ipaca", "-key_size", "2048", "-key_type", "rsa", + "-key_algorithm", "SHA256withRSA", "-save_p12", "true", "-backup_pwd", self.admin_password, "-subsystem_name", self.service_name, @@ -620,13 +610,12 @@ class CAInstance(service.Service): logging.debug("completed creating ca instance") except ipautil.CalledProcessError, e: logging.critical("failed to restart ca instance %s" % e) - logging.debug("restarting ca instance") - try: - self.restart() - logging.debug("done restarting ca instance") - except ipautil.CalledProcessError, e: - print "failed to restart ca instance", e - logging.debug("failed to restart ca instance %s" % e) + + # Turn off Nonces (again) + if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: + raise RuntimeError("Disabling nonces failed") + pent = pwd.getpwnam(self.pki_user) + os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) # pkisilent makes a copy of the CA PKCS#12 file for us but gives # it a lousy name. |