diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-06-05 02:57:48 -0400 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-05 19:12:46 +0200 |
| commit | 8b3bc99a737edb9178e115c188d60d963f73e50c (patch) | |
| tree | 22a9afe1ed2a78685bbd3c231b73e1c2c1f2e3fd /ipaserver/install | |
| parent | ce33f82cfe528c17d3a1367172bb1475fe169b25 (diff) | |
| download | freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.gz freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.xz freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.zip | |
Import profiles earlier during install
Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install')
| -rw-r--r-- | ipaserver/install/cainstance.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 3 |
2 files changed, 5 insertions, 3 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42225c28c..563a198ab 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -473,6 +473,9 @@ class CAInstance(DogtagInstance): self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) + if not self.clone: + self.step("restarting certificate server", self.restart_instance) + self.step("Importing IPA certificate profiles", import_included_profiles) self.start_creation(runtime=210) @@ -1694,6 +1697,7 @@ def import_included_profiles(): ) conn.add_entry(entry) api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 with api.Backend.ra_certprofile as profile_api: # import the profile try: @@ -1715,6 +1719,7 @@ def import_included_profiles(): except errors.RemoteRetrieveError: pass + api.Backend.ra_certprofile.override_port = None root_logger.info("Imported profile '%s'", profile_id) conn.disconnect() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 955e4cc11..999766d67 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -906,9 +906,6 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) - service.print_msg("Importing certificate profiles") - cainstance.import_included_profiles() - if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) |