diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-09-03 15:04:35 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-09-05 16:10:49 +0200 |
commit | 2ed6fb092eac2397f4d6395307c91a497d747ac0 (patch) | |
tree | e4d08490cb17ec74f90be7d3a29d104fc1803ced | |
parent | 68d656f80a483a57f5ed80b7ead03a071abb0ef0 (diff) | |
download | freeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.tar.gz freeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.tar.xz freeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.zip |
Backup CS.cfg before modifying it
https://fedorahosted.org/freeipa/ticket/4166
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
-rw-r--r-- | install/tools/ipa-upgradeconfig | 1 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 21 |
2 files changed, 22 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 9535cedd8..5dbf3087b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1085,6 +1085,7 @@ def main(): sub_dict['SUBJECT_BASE'] = subject_base ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca.backup_config() # migrate CRL publish dir before the location in ipa.conf is updated ca_restart = migrate_crl_publish_dir(ca) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ce0561a08..b6342a508 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -404,6 +404,7 @@ class CAInstance(DogtagInstance): self.step("creating pki-ca instance", self.create_instance) self.step("configuring certificate server instance", self.__configure_instance) self.step("stopping certificate server instance to update CS.cfg", self.stop_instance) + self.step("backing up CS.cfg", self.backup_config) self.step("disabling nonces", self.__disable_nonce) self.step("set up CRL publishing", self.__enable_crl_publish) self.step("enable PKIX certificate path discovery and validation", self.enable_pkix) @@ -733,6 +734,12 @@ class CAInstance(DogtagInstance): self.log.debug("completed creating ca instance") + def backup_config(self): + try: + backup_config(self.dogtag_constants) + except Exception, e: + root_logger.warning("Failed to backup CS.cfg: %s", e) + def __disable_nonce(self): # Turn off Nonces update_result = installutils.update_file( @@ -1587,6 +1594,11 @@ class CAInstance(DogtagInstance): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} + try: + backup_config(dogtag_constants) + except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) + DogtagInstance.update_cert_cs_cfg( nickname, cert, directives, dogtag.configured_constants().CS_CFG_PATH, @@ -1715,6 +1727,15 @@ def install_replica_ca(config, postinstall=False): return ca +def backup_config(dogtag_constants=None): + """ + Create a backup copy of CS.cfg + """ + if dogtag_constants is None: + dogtag_constants = dogtag.configured_constants() + + shutil.copy(dogtag_constants.CS_CFG_PATH, + dogtag_constants.CS_CFG_PATH + '.ipabkp') def update_people_entry(dercert): """ |