diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
commit | 5a96618f5d31b21b983076ccc4c480561a7ccb2a (patch) | |
tree | ecc32810d350b0d871cb18c4eb07f989b4b5b879 /ipa-server/ipaserver | |
parent | 25057816a560064298357d29228c5a4e01466b7c (diff) | |
download | freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.gz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.xz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.zip |
Use file to store the current CA serial number
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
Diffstat (limited to 'ipa-server/ipaserver')
-rw-r--r-- | ipa-server/ipaserver/certs.py | 53 | ||||
-rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 3 | ||||
-rw-r--r-- | ipa-server/ipaserver/httpinstance.py | 16 | ||||
-rw-r--r-- | ipa-server/ipaserver/replication.py | 2 |
4 files changed, 58 insertions, 16 deletions
diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index b39cf2244..30568e6e4 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -19,6 +19,7 @@ import os, stat, subprocess, re import sha +import errno from ipa import ipautil @@ -42,7 +43,7 @@ class CertDB(object): # responsibility of the caller for now. In the # future we might automatically determine this # for a given db. - self.cur_serial = 1000 + self.cur_serial = -1 self.cacert_name = "CA certificate" self.valid_months = "120" @@ -57,10 +58,40 @@ class CertDB(object): self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] + def set_serial_from_pkcs12(self): + """A CA cert was loaded from a PKCS#12 file. Set up our serial file""" + + self.cur_serial = self.find_cacert_serial() + try: + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + except IOError, e: + raise RuntimeError("Unable to increment serial number: %s" % str(e)) + def next_serial(self): - r = self.cur_serial - self.cur_serial += 1 - return str(r) + try: + f=open("/usr/share/ipa/serial","r") + r = f.readline() + self.cur_serial = int(r) + 1 + f.close() + except IOError, e: + if e.errno == errno.ENOENT: + self.cur_serial = 1000 + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + else: + raise RuntimeError("Unable to determine serial number: %s" % str(e)) + + try: + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + except IOError, e: + raise RuntimeError("Unable to increment serial number: %s" % str(e)) + + return str(self.cur_serial) def set_perms(self, fname, write=False): os.chown(fname, self.uid, self.gid) @@ -75,7 +106,7 @@ class CertDB(object): def run_certutil(self, args, stdin=None): new_args = ["/usr/bin/certutil", "-d", self.secdir] new_args = new_args + args - ipautil.run(new_args, stdin) + return ipautil.run(new_args, stdin) def run_signtool(self, args, stdin=None): new_args = ["/usr/bin/signtool", "-d", self.secdir] @@ -139,6 +170,16 @@ class CertDB(object): "-t", "CT,,C", "-a", "-i", cacert_fname]) + + def find_cacert_serial(self): + (out,err) = self.run_certutil(["-L", "-n", self.cacert_name]) + data = out.split('\n') + for line in data: + x = re.match(r'\s+Serial Number: (\d+) .*', line) + if x is not None: + return x.group(1) + + raise RuntimeError("Unable to find serial number") def create_server_cert(self, nickname, name, other_certdb=None): cdb = other_certdb @@ -330,5 +371,3 @@ class CertDB(object): sysrestore.backup_file(self.pin_fname) sysrestore.backup_file(self.certreq_fname) sysrestore.backup_file(self.certder_fname) - - diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 733e5d5be..a320a1be6 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -257,10 +257,9 @@ class DsInstance(service.Service): ca = certs.CertDB(dirname) if self.pkcs12_info: ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) - ca.cur_serial = 2100 else: ca.create_self_signed() - ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name) + ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name) conn = ipaldap.IPAdmin("127.0.0.1") conn.simple_bind_s("cn=directory manager", self.dm_password) diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py index 12e5ae105..bee77e9fb 100644 --- a/ipa-server/ipaserver/httpinstance.py +++ b/ipa-server/ipaserver/httpinstance.py @@ -55,10 +55,11 @@ class HTTPInstance(service.Service): def __init__(self): service.Service.__init__(self, "httpd") - def create_instance(self, realm, fqdn): + def create_instance(self, realm, fqdn, autoconfig=True, pkcs12_info=None): self.fqdn = fqdn self.realm = realm self.domain = fqdn[fqdn.find(".")+1:] + self.pkcs12_info = pkcs12_info self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain } self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) @@ -66,7 +67,8 @@ class HTTPInstance(service.Service): self.step("configuring httpd", self.__configure_http) self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("Setting up ssl", self.__setup_ssl) - self.step("Setting up browser autoconfig", self.__setup_autoconfig) + if autoconfig: + self.step("Setting up browser autoconfig", self.__setup_autoconfig) self.step("configuring SELinux for httpd", self.__selinux_config) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -136,10 +138,12 @@ class HTTPInstance(service.Service): def __setup_ssl(self): ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) ca = certs.CertDB(NSS_DIR) - ds_ca.cur_serial = 2000 - ca.create_from_cacert(ds_ca.cacert_fname) - ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca) - ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca) + if self.pkcs12_info: + ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=False) + else: + ca.create_from_cacert(ds_ca.cacert_fname) + ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca) + ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca) def __setup_autoconfig(self): prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict) diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py index 765905e55..10addc65b 100644 --- a/ipa-server/ipaserver/replication.py +++ b/ipa-server/ipaserver/replication.py @@ -279,7 +279,7 @@ class ReplicationManager: return haserror def start_replication(self, other_conn): - print "starting replication" + print "Starting replication, please wait until this has completed." cn, dn = self.agreement_dn(self.conn) mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] |