diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-10-08 15:58:48 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-10-09 16:00:01 +0200 |
| commit | 74ebd0fd75fababe7d080080ef019b53e96c0c4f (patch) | |
| tree | ced59ca3583b0d9092f58e7d3ec903c417ed7a91 /ipapython | |
| parent | 9bb927eb1cca3fd4ac4768b2ef53aab75b848bd6 (diff) | |
| download | freeipa-74ebd0fd75fababe7d080080ef019b53e96c0c4f.tar.gz freeipa-74ebd0fd75fababe7d080080ef019b53e96c0c4f.tar.xz freeipa-74ebd0fd75fababe7d080080ef019b53e96c0c4f.zip | |
Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
* We depend on pki-ca directory structure and relevant permissions.
If pki-ca changes directory structure or permissions on upgrade,
IPA may break. This is also a root cause of the latest error, where
the pki-ca directory does not have X permission for others and CRL
publishing by httpd breaks.
* Since the directory is not static and is generated during
ipa-server-install, RPM upgrade of IPA packages report errors when
defining SELinux policy for these directories.
Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.
https://fedorahosted.org/freeipa/ticket/3144
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/dogtag.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 22a5a6d19..3bc9e5d5d 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -54,7 +54,7 @@ class Dogtag10Constants(object): SERVER_ROOT = '/var/lib/pki' PKI_INSTANCE_NAME = 'pki-tomcat' PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT + CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT @@ -78,7 +78,7 @@ class Dogtag9Constants(object): SERVER_ROOT = '/var/lib' PKI_INSTANCE_NAME = 'pki-ca' PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT + CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT |