summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py48
-rw-r--r--ipaserver/install/service.py5
2 files changed, 18 insertions, 35 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d62f232cc..5c6c49e4b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -517,8 +517,8 @@ class CAInstance(service.Service):
self.step("creating certificate server user", self.__create_ca_user)
if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance)
- self.step("restarting certificate server", self.__restart_instance)
self.step("configuring certificate server instance", self.__configure_instance)
+ self.step("disabling nonces", self.__disable_nonce)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
@@ -527,20 +527,18 @@ class CAInstance(service.Service):
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
- if not self.clone:
- self.step("restarting certificate server", self.__restart_instance)
- self.step("requesting RA certificate from CA", self.__request_ra_certificate)
- self.step("issuing RA agent certificate", self.__issue_ra_cert)
- self.step("adding RA agent as a trusted user", self.__configure_ra)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("set up CRL publishing", self.__enable_crl_publish)
+ self.step("set certificate subject base", self.__set_subject_in_config)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
- # A clone will be restarted in ipa-replica-install
self.step("restarting certificate server", self.__restart_instance)
+ self.step("requesting RA certificate from CA", self.__request_ra_certificate)
+ self.step("issuing RA agent certificate", self.__issue_ra_cert)
+ self.step("adding RA agent as a trusted user", self.__configure_ra)
- self.start_creation("Configuring certificate server", 360)
+ self.start_creation("Configuring certificate server", 210)
def create_instance(self):
"""
@@ -686,34 +684,11 @@ class CAInstance(service.Service):
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
- # Turn off Nonces (again)
- if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
- raise RuntimeError("Disabling nonces failed")
- pent = pwd.getpwnam(PKI_USER)
- os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
# it a lousy name.
if ipautil.file_exists("/root/tmp-ca.p12"):
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
- try:
- # After configuration the service is running and configured
- # but must be restarted for configuration to take effect.
- # The service status in this case will be 4.
- self.__restart_instance()
- except ipautil.CalledProcessError, e:
- logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
- raise RuntimeError('Restarting CA after pkisilent configuration failed')
-
- # If the configuration was successful status should now be 0.
- # We don't call is_running() because we want the exit status for debugging.
- try:
- ipautil.run(["/sbin/service", self.service_name, "status", PKI_INSTANCE_NAME])
- except ipautil.CalledProcessError, e:
- logging.critical("ca instance configuration not successful after restart %s" % e)
- raise RuntimeError('CA configuration not successful after restart')
-
logging.debug("completed creating ca instance")
def __restart_instance(self):
@@ -724,6 +699,13 @@ class CAInstance(service.Service):
# TODO: roll back here?
logging.critical("Failed to restart the certificate server. See the installation log for details.")
+ def __disable_nonce(self):
+ # Turn off Nonces
+ if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+ raise RuntimeError("Disabling nonces failed")
+ pent = pwd.getpwnam(PKI_USER)
+ os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
(admin_fd, admin_name) = tempfile.mkstemp()
@@ -1060,13 +1042,11 @@ class CAInstance(service.Service):
ipautil.run(["/sbin/restorecon", publishdir])
- def set_subject_in_config(self, suffix):
+ def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
print "Updating subject_base in CA template failed"
- self.print_msg("restarting certificate server")
- self.__restart_instance()
def uninstall(self):
if self.is_configured():
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index efbb2c933..62db9baf5 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -258,7 +258,10 @@ class Service(object):
if est.tm_min > 0:
if est.tm_min > 1:
plural = 's'
- self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
+ if est.tm_sec > 0:
+ self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec))
+ else:
+ self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
else:
if est.tm_sec > 1:
plural = 's'