From 392097f20673708a684da168aec302da7ccda9a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Oct 2012 10:40:20 -0400
Subject: Configure the initial CA as the CRL generator.

Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.

https://fedorahosted.org/freeipa/ticket/3051
---
 install/conf/ipa-pki-proxy.conf |  5 ++++-
 install/tools/ipa-upgradeconfig |  9 ++++++++-
 ipaserver/install/cainstance.py | 19 ++++++++++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 20c09217a..8c4f3a9b6 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -3,7 +3,7 @@
 ProxyRequests Off
 
 # matches for ee port
-<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -25,3 +25,6 @@ ProxyRequests Off
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
+
+# Only enable this on servers that are not generating a CRL
+${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3ba6b5c06..384261498 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -603,13 +603,20 @@ def main():
         AUTOREDIR='' if auto_redirect else '#',
         CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
         DOGTAG_PORT=configured_constants.AJP_PORT,
+        CLONE='#'
     )
 
+    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
 
     # migrate CRL publish dir before the location in ipa.conf is updated
-    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
     ca_restart = migrate_crl_publish_dir(ca)
 
+    if ca.is_configured():
+        crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                                         'ca.crl.MasterCRL.enableCRLUpdates',
+                                         '=')
+        sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a64fe6f03..aabbba39d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1239,6 +1239,19 @@ class CAInstance(service.Service):
             'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
             quotes=False, separator='=')
 
+        # If we are the initial master then we are the CRL generator, otherwise
+        # we point to that master for CRLs.
+        if not self.clone:
+            # These next two are defaults, but I want to be explicit that the
+            # initial master is the CRL generator.
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
+        else:
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
+
     def __set_subject_in_config(self):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject
@@ -1291,7 +1304,11 @@ class CAInstance(service.Service):
 
     def __http_proxy(self):
         template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
-        sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
+        sub_dict = dict(
+            DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
+            CLONE='' if self.clone else '#',
+            FQDN=self.fqdn,
+        )
         template = ipautil.template_file(template_filename, sub_dict)
         with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
             fd.write(template)
-- 
cgit