summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/httpinstance.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-09-08 22:11:31 -0400
committerRob Crittenden <rcritten@redhat.com>2010-09-09 16:38:45 -0400
commit2e8bae590eae495628ffb709540f7e83eee52ba2 (patch)
tree8426fdb320a4f383a0a6e5de42fb56c40bdc2211 /ipaserver/install/httpinstance.py
parent3a022fe51043f71bdb50aefea828377b8f0c09fb (diff)
downloadfreeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.zip
freeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.tar.gz
freeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.tar.xz
Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r--ipaserver/install/httpinstance.py11
1 files changed, 7 insertions, 4 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 48a908f..af8fdde 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -120,10 +120,9 @@ class HTTPInstance(service.Service):
self.print_msg(selinux_warning)
def __create_http_keytab(self):
- http_principal = "HTTP/" + self.fqdn + "@" + self.realm
- installutils.kadmin_addprinc(http_principal)
- installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal)
- self.move_service(http_principal)
+ installutils.kadmin_addprinc(self.principal)
+ installutils.create_keytab("/etc/httpd/conf/ipa.keytab", self.principal)
+ self.move_service(self.principal)
self.add_cert_to_service()
pent = pwd.getpwnam("apache")
@@ -186,9 +185,11 @@ class HTTPInstance(service.Service):
db.create_from_cacert(ca_db.cacert_fname)
db.create_password_conf()
self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
+ db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
else:
self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
+ db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
db.create_password_conf()
@@ -251,6 +252,8 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
+ db = certs.CertDB(NSS_DIR)
+ db.untrack_server_cert("Server-Cert")
if not enabled is None and not enabled:
self.chkconfig_off()