diff options
author | Petr Viktorin <pviktori@redhat.com> | 2013-03-26 18:06:50 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-04-15 16:55:27 -0400 |
commit | 4e3c1051d029363a099312eac48f337244a5610c (patch) | |
tree | 81574e96640ac9743ab7088af724233944d9cb62 /install | |
parent | fe00788bb439d461e1429ffbd94e42d615e2ddf9 (diff) | |
download | freeipa-4e3c1051d029363a099312eac48f337244a5610c.tar.gz freeipa-4e3c1051d029363a099312eac48f337244a5610c.tar.xz freeipa-4e3c1051d029363a099312eac48f337244a5610c.zip |
Uninstall selfsign CA on upgrade
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
Diffstat (limited to 'install')
-rw-r--r-- | install/tools/ipa-upgradeconfig | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index dbbffe321..8ae54894b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -29,6 +29,7 @@ import os import shutil import pwd import fileinput +import ConfigParser from ipalib import api import ipalib.util @@ -757,6 +758,25 @@ def add_ca_dns_records(): sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) +def uninstall_selfsign(ds, http): + root_logger.info('[Removing self-signed CA]') + """Replace self-signed CA by a CA-less install""" + if api.env.ra_plugin != 'selfsign': + root_logger.debug('Self-signed CA is not installed') + return + + root_logger.warning( + 'Removing self-signed CA. Certificates will need to managed manually.') + p = ConfigParser.SafeConfigParser() + p.read('/etc/ipa/default.conf') + p.set('global', 'enable_ra', 'False') + p.set('global', 'ra_plugin', 'none') + with open('/etc/ipa/default.conf', 'w') as f: + p.write(f) + + ds.stop_tracking_certificates() + http.stop_tracking_certificates() + def main(): """ Get some basics about the system. If getting those basics fail then @@ -834,6 +854,10 @@ def main(): http.remove_httpd_ccache() http.configure_selinux_for_httpd() + ds = dsinstance.DsInstance() + + uninstall_selfsign(ds, http) + memcache = memcacheinstance.MemcacheInstance() memcache.ldapi = True memcache.realm = api.env.realm @@ -841,7 +865,6 @@ def main(): if not memcache.is_configured(): # 389-ds needs to be running to create the memcache instance # because we record the new service in cn=masters. - ds = dsinstance.DsInstance() ds.start() memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm)) except ipalib.errors.DuplicateEntry: |