Break out install into more steps, add -key_algorithm to pkisilent

Installing dogtag is quite slow and it isn't always clear that things are working. This breaks out some restart calls into separate steps to show some amount of progress. There are still some steps that take more than a minute (pkicreate and pkisilent). Add new argument to pkisilent, -key_algorithm Update a bunch of minimum required versions in the spec file. tickets 139 (time) and 144 (key_algorithm)
author: Rob Crittenden <rcritten@redhat.com> 2010-08-16 17:55:07 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2010-08-19 10:50:40 -0400
commit: 3e15e6ed6dd0fa6f5606fd77b5104fd067798cde (patch)
tree: f094c8b5e7e70c30eccc81b2d9ceb06b25d34574
parent: e466bed5453302ca41e6ab7e85fddbdd35548d2a (diff)
download: freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.gz
freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.xz
freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.zip
2 files changed, 19 insertions, 23 deletions
diff --git a/ipa.spec.in b/ipa.spec.in
index 74b690e81..3c93aeab1 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -97,7 +97,8 @@ Requires: selinux-policy
 %endif
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.15
-Requires: pki-ca
+Requires: pki-ca >= 1.3.6
+Requires: pki-silent >= 1.3.4
 Conflicts: mod_ssl
 
 %description server
@@ -139,8 +140,8 @@ Requires: nss_ldap
 Requires: wget
 Requires: xmlrpc-c
 Requires: libcurl
-Requires: sssd >= 1.1.1
-Requires: certmonger
+Requires: sssd >= 1.2.1
+Requires: certmonger >= 0.26
 
 %description client
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -501,6 +502,12 @@ fi
 %endif
 
 %changelog
+* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
+- Set minimum version of certmonger to 0.26 (to pck up #621670)
+- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
+- Set minimum version of pki-ca to 1.3.6
+- Set minimum version of sssd to 1.2.1
+
 * Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
 - Add BuildRequires for authconfig
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 035d6315f..6babd440f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -434,10 +434,12 @@ class CAInstance(service.Service):
         self.step("creating certificate server user", self.__create_ca_user)
         if not ipautil.dir_exists("/var/lib/pki-ca"):
             self.step("creating pki-ca instance", self.create_instance)
+        self.step("restarting certificate server", self.__restart_instance)
         self.step("configuring certificate server instance", self.__configure_instance)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
+            self.step("restarting certificate server", self.__restart_instance)
             if not self.clone:
                 self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             self.step("creating RA agent certificate database", self.__create_ra_agent_db)
@@ -497,19 +499,6 @@ class CAInstance(service.Service):
         self.backup_state("user_exists", user_exists)
 
     def __configure_instance(self):
-        # Turn off Nonces
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(self.pki_user)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
-        logging.debug("restarting ca instance")
-        try:
-            self.restart()
-            logging.debug("done restarting ca instance")
-        except ipautil.CalledProcessError, e:
-            print "failed to restart ca instance", e
-
         preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
 
         try:
@@ -535,6 +524,7 @@ class CAInstance(service.Service):
                     "-db_name", "ipaca",
                     "-key_size", "2048",
                     "-key_type", "rsa",
+                    "-key_algorithm", "SHA256withRSA",
                     "-save_p12", "true",
                     "-backup_pwd", self.admin_password,
                     "-subsystem_name", self.service_name,
@@ -620,13 +610,12 @@ class CAInstance(service.Service):
             logging.debug("completed creating ca instance")
         except ipautil.CalledProcessError, e:
             logging.critical("failed to restart ca instance %s" % e)
-        logging.debug("restarting ca instance")
-        try:
-            self.restart()
-            logging.debug("done restarting ca instance")
-        except ipautil.CalledProcessError, e:
-            print "failed to restart ca instance", e
-            logging.debug("failed to restart ca instance %s" % e)
+
+        # Turn off Nonces (again)
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(self.pki_user)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
         # pkisilent makes a copy of the CA PKCS#12 file for us but gives
         # it a lousy name.
author	Rob Crittenden <rcritten@redhat.com>	2010-08-16 17:55:07 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2010-08-19 10:50:40 -0400
commit	3e15e6ed6dd0fa6f5606fd77b5104fd067798cde (patch)
tree	f094c8b5e7e70c30eccc81b2d9ceb06b25d34574
parent	e466bed5453302ca41e6ab7e85fddbdd35548d2a (diff)
download	freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.gz freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.tar.xz freeipa-3e15e6ed6dd0fa6f5606fd77b5104fd067798cde.zip