summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-09-03 15:04:35 +0200
committerPetr Viktorin <pviktori@dhcp-31-13.brq.redhat.com>2014-09-05 16:10:49 +0200
commit2ed6fb092eac2397f4d6395307c91a497d747ac0 (patch)
treee4d08490cb17ec74f90be7d3a29d104fc1803ced
parent68d656f80a483a57f5ed80b7ead03a071abb0ef0 (diff)
downloadfreeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.tar.gz
freeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.tar.xz
freeipa-2ed6fb092eac2397f4d6395307c91a497d747ac0.zip
Backup CS.cfg before modifying it
https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
-rw-r--r--install/tools/ipa-upgradeconfig1
-rw-r--r--ipaserver/install/cainstance.py21
2 files changed, 22 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9535cedd8..5dbf3087b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1085,6 +1085,7 @@ def main():
sub_dict['SUBJECT_BASE'] = subject_base
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+ ca.backup_config()
# migrate CRL publish dir before the location in ipa.conf is updated
ca_restart = migrate_crl_publish_dir(ca)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ce0561a08..b6342a508 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -404,6 +404,7 @@ class CAInstance(DogtagInstance):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
+ self.step("backing up CS.cfg", self.backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
@@ -733,6 +734,12 @@ class CAInstance(DogtagInstance):
self.log.debug("completed creating ca instance")
+ def backup_config(self):
+ try:
+ backup_config(self.dogtag_constants)
+ except Exception, e:
+ root_logger.warning("Failed to backup CS.cfg: %s", e)
+
def __disable_nonce(self):
# Turn off Nonces
update_result = installutils.update_file(
@@ -1587,6 +1594,11 @@ class CAInstance(DogtagInstance):
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
+ try:
+ backup_config(dogtag_constants)
+ except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
+
DogtagInstance.update_cert_cs_cfg(
nickname, cert, directives,
dogtag.configured_constants().CS_CFG_PATH,
@@ -1715,6 +1727,15 @@ def install_replica_ca(config, postinstall=False):
return ca
+def backup_config(dogtag_constants=None):
+ """
+ Create a backup copy of CS.cfg
+ """
+ if dogtag_constants is None:
+ dogtag_constants = dogtag.configured_constants()
+
+ shutil.copy(dogtag_constants.CS_CFG_PATH,
+ dogtag_constants.CS_CFG_PATH + '.ipabkp')
def update_people_entry(dercert):
"""