diff options
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 088744a48..d33901dc1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -34,6 +34,7 @@ import shutil import httplib import urllib import xml.dom.minidom +import stat from nss.error import NSPRError import nss.nss as nss @@ -44,7 +45,6 @@ from ipapython import nsslib from ipaserver.install import service from ipaserver.install import installutils from ipaserver import ipaldap -from ipaserver.install import ldapupdate from ipaserver.install import dsinstance from ipalib import util @@ -368,6 +368,7 @@ class CAInstance(service.Service): self.server_root = "/var/lib" self.secure_port = 9444 self.ra_cert = None + self.requestId = None def __del__(self): shutil.rmtree(self.ca_agent_db, ignore_errors=True) @@ -390,6 +391,7 @@ class CAInstance(service.Service): self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("fixing RA database permissions", self.__fix_ra_perms) + self.step("setting up signing cert profile", self.__setup_sign_profile) self.step("configuring certificate server to start on boot", self.__enable) self.step("restarting certificate server", self.__restart_instance) @@ -540,7 +542,7 @@ class CAInstance(service.Service): def __restart_instance(self): try: self.restart() - except Exception: + except Exception, e: # TODO: roll back here? logging.critical("Failed to restart the certificate server. See the installation log for details.") @@ -577,9 +579,10 @@ class CAInstance(service.Service): '-n', 'ipa-ca-agent', '-p', self.admin_password, '-d', self.ca_agent_db, - '-r', '/ca/agent/ca/profileReview?requestId=7', + '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId, '%s:%d' % (self.host_name, 9443), ] + logging.debug("running sslget %s" % args) (stdout, stderr) = ipautil.run(args) data = stdout.split('\r\n') @@ -589,6 +592,8 @@ class CAInstance(service.Service): params['submit'] = 'submit' params['requestNotes'] = '' params = urllib.urlencode(params) + headers = {"Content-type": "application/x-www-form-urlencoded", + "Accept": "text/plain"} # Now issue the RA certificate. args = [ @@ -600,6 +605,7 @@ class CAInstance(service.Service): '-r', '/ca/agent/ca/profileProcess', '%s:%d' % (self.host_name, 9443), ] + logging.debug("running sslget %s" % args) (stdout, stderr) = ipautil.run(args) data = stdout.split('\r\n') @@ -679,6 +685,7 @@ class CAInstance(service.Service): f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR) os.write(f, hex_str) os.close(f) + os.chmod(self.ra_agent_pwd, stat.S_IRUSR) stdout, stderr = self.__run_certutil(["-N"]) @@ -758,11 +765,14 @@ class CAInstance(service.Service): res = conn.getresponse() if res.status == 200: data = res.read() - # FIXME: pull the requestId out so of the response so it isn't - # later hard-coded at 7 -# print data - conn.close() + doc = xml.dom.minidom.parseString(data) + item_node = doc.getElementsByTagName("RequestId") + self.requestId = item_node[0].childNodes[0].data + doc.unlink() + self.requestId = self.requestId.strip() + if self.requestId is None: + raise RuntimeError("Unable to determine RA certificate requestId") else: conn.close() raise RuntimeError("Unable to submit RA cert request") @@ -778,6 +788,22 @@ class CAInstance(service.Service): os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid ) os.chown(self.ra_agent_pwd, 0, pent.pw_gid) + def __setup_sign_profile(self): + caconfig = "/var/lib/pki-ca/conf/CS.cfg" + + if not ipautil.file_exists('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg'): + profile = ipautil.template_file(ipautil.SHARE_DIR + "caJarSigningCert.cfg.template", {}) + fd = open("/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg", "w") + fd.write(profile) + fd.close() + + profilelist = installutils.get_directive(caconfig, "profile.list", separator="=") + if profilelist.find('caJarSigningCert') < 0: + profilelist = profilelist + ',caJarSigningCert' + installutils.set_directive(caconfig, 'profile.list', profilelist, quotes=False, separator='=') + installutils.set_directive(caconfig, 'profile.caJarSigningCert.class_id', 'caEnrollImpl', quotes=False, separator='=') + installutils.set_directive(caconfig, 'profile.caJarSigningCert.config', '/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', quotes=False, separator='=') + def uninstall(self): try: ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", |