diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-09-24 16:41:47 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 08:50:47 +0200 |
| commit | 88083887c994ab505d6e07151e5dd26b56bb7732 (patch) | |
| tree | fde6a1a529a9c5969082acf081854672154fa22a /install/tools/ipa-server-install | |
| parent | 3aa0731fc660ea3d111a44926ab5dea71dc510e7 (diff) | |
| download | freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.tar.gz freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.tar.xz freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.zip | |
CA-less installer options usability fixes
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 165 |
1 files changed, 104 insertions, 61 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6988b1068..636ba7496 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -215,20 +215,45 @@ def parse_options(): help=SUPPRESS_HELP) cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") - cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", - help="PKCS#12 file containing the Directory Server SSL certificate") - cert_group.add_option("--http_pkcs12", dest="http_pkcs12", - help="PKCS#12 file containing the Apache Server SSL certificate") - cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="PKCS#12 file containing the Kerberos KDC SSL certificate") + cert_group.add_option("--dirsrv-cert-file", dest="dirsrv_cert_files", + action="append", metavar="FILE", + help="File containing the Directory Server SSL certificate and private key") + cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--http-cert-file", dest="http_cert_files", + action="append", metavar="FILE", + help="File containing the Apache Server SSL certificate and private key") + cert_group.add_option("--http_pkcs12", dest="http_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--pkinit-cert-file", dest="pkinit_cert_files", + action="append", metavar="FILE", + help="File containing the Kerberos KDC SSL certificate and private key") + cert_group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Directory Server private key") cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, - help="The password of the Directory Server PKCS#12 file") + help=SUPPRESS_HELP) + cert_group.add_option("--http-pin", dest="http_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Apache Server private key") cert_group.add_option("--http_pin", dest="http_pin", sensitive=True, - help="The password of the Apache Server PKCS#12 file") - cert_group.add_option("--pkinit_pin", dest="pkinit_pin", - help="The password of the Kerberos KDC PKCS#12 file") - cert_group.add_option("--root-ca-file", dest="root_ca_file", - help="PEM file containing the CA certificate for the PKCS#12 files") + help=SUPPRESS_HELP) + cert_group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Kerberos KDC private key") + cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True, + help=SUPPRESS_HELP) + cert_group.add_option("--ca-cert-file", dest="ca_cert_files", + action="append", metavar="FILE", + help="File containing CA certificates for the service certificate files") + cert_group.add_option("--root-ca-file", dest="ca_cert_files", + action="append", + help=SUPPRESS_HELP) cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") @@ -311,22 +336,25 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error("You must specify at least one --forwarder option or --no-forwarders option") - # If any of the PKCS#12 options are selected, all are required. - pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) - pkcs12_opt = (options.pkinit_pkcs12,) - if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): - parser.error("--dirsrv_pkcs12 and --http_pkcs12 are required if any " - "PKCS#12 options are used.") + # If any of the key file options are selected, all are required. + cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) + cert_file_opt = (options.pkinit_cert_files,) + if any(cert_file_req + cert_file_opt) and not all(cert_file_req): + parser.error("--dirsrv-cert-file and --http-cert-file are required if " + "any key file options are used.") if options.unattended: - if options.dirsrv_pkcs12 and options.dirsrv_pin is None: - parser.error("You must specify --dirsrv_pin with --dirsrv_pkcs12") - if options.http_pkcs12 and options.http_pin is None: - parser.error("You must specify --http_pin with --http_pkcs12") - if options.pkinit_pkcs12 and options.pkinit_pin is None: - parser.error("You must specify --pkinit_pin with --pkinit_pkcs12") - - if options.external_cert_files and options.dirsrv_pkcs12: + if options.dirsrv_cert_files and options.dirsrv_pin is None: + parser.error( + "You must specify --dirsrv-pin with --dirsrv-cert-file") + if options.http_cert_files and options.http_pin is None: + parser.error( + "You must specify --http-pin with --http-cert-file") + if options.pkinit_cert_files and options.pkinit_pin is None: + parser.error( + "You must specify --pkinit-pin with --pkinit-cert-file") + + if options.external_cert_files and options.dirsrv_cert_files: parser.error("Service certificate file options cannot be used with " "the external CA options.") @@ -334,8 +362,9 @@ def parse_options(): if options.external_cert_files: parser.error("You cannot specify --external-cert-file " "together with --external-ca") - if options.dirsrv_pkcs12: - parser.error("You cannot specify PKCS#12 options together with --external-ca") + if options.dirsrv_cert_files: + parser.error("You cannot specify service certificate file options " + "together with --external-ca") if (options.external_cert_files and any(not os.path.isabs(path) for path in options.external_cert_files)): @@ -761,7 +790,7 @@ def main(): options.external_cert_files, options.subject) # We only set up the CA if the PKCS#12 options are not given. - if options.dirsrv_pkcs12: + if options.dirsrv_cert_files: setup_ca = False setup_kra = False else: @@ -903,43 +932,58 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) - ca_file = options.root_ca_file - - if options.http_pkcs12: + if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( - "Enter %s unlock" % options.http_pkcs12, + "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: - sys.exit("%s unlock password required" % options.http_pkcs12) - http_pkcs12_info = (options.http_pkcs12, options.http_pin) - http_ca_cert = installutils.check_pkcs12( - http_pkcs12_info, ca_file, host_name) - - if options.dirsrv_pkcs12: + sys.exit( + "Apache Server private key unlock password required") + http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( + cert_files=options.http_cert_files, + key_password=options.http_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + http_pkcs12_info = (http_pkcs12_file.name, http_pin) + + if options.dirsrv_cert_files: if options.dirsrv_pin is None: - options.dirsrv_pin = installutils.read_password( - "Enter %s unlock" % options.dirsrv_pkcs12, + options.dirsrv_pin = read_password( + "Enter Directory Server private key unlock", confirm=False, validate=False) if options.dirsrv_pin is None: - sys.exit("%s unlock password required" % options.dirsrv_pkcs12) - dirsrv_pkcs12_info = (options.dirsrv_pkcs12, options.dirsrv_pin) - dirsrv_ca_cert = installutils.check_pkcs12( - dirsrv_pkcs12_info, ca_file, host_name) - - if options.pkinit_pkcs12: + sys.exit( + "Directory Server private key unlock password required") + dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( + cert_files=options.dirsrv_cert_files, + key_password=options.dirsrv_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) + + if options.pkinit_cert_files: if options.pkinit_pin is None: - options.pkinit_pin = installutils.read_password( - "Enter %s unlock" % options.pkinit_pkcs12, + options.pkinit_pin = read_password( + "Enter Kerberos KDC private key unlock", confirm=False, validate=False) if options.pkinit_pin is None: - sys.exit("%s unlock password required" % options.pkinit_pkcs12) - pkinit_pkcs12_info = (options.pkinit_pkcs12, options.pkinit_pin) - - if (options.http_pkcs12 and options.dirsrv_pkcs12 and + sys.exit( + "Kerberos KDC private key unlock password required") + pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12( + cert_files=options.pkinit_cert_files, + key_password=options.pkinit_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) + + if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): - sys.exit("%s and %s are not signed by the same CA certificate" % - (options.http_pkcs12, options.dirsrv_pkcs12)) + sys.exit("Apache Server SSL certificate and Directory Server SSL " + "certificate are not signed by the same CA certificate") if not options.dm_password: dm_password = read_dm_password() @@ -1064,14 +1108,13 @@ def main(): if not ntp.is_configured(): ntp.create_instance() - if options.dirsrv_pkcs12: + if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore) ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, - hbac_allow=not options.hbac_allow, - ca_file=ca_file) + hbac_allow=not options.hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore) ds.create_instance(realm_name, host_name, domain_name, @@ -1137,7 +1180,7 @@ def main(): ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) - if options.pkinit_pkcs12: + if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, @@ -1163,11 +1206,11 @@ def main(): # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) - if options.http_pkcs12: + if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject, - auto_redirect=options.ui_redirect, ca_file=ca_file) + auto_redirect=options.ui_redirect) else: http.create_instance( realm_name, host_name, domain_name, dm_password, |