From a2641254fecae7097cb64da32647199f0155b631 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 26 Jul 2011 13:21:36 +0200 Subject: Fix external CA install. ticket 1523 --- install/tools/ipa-server-install | 59 +++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 8f8100bc9..f47741244 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -212,9 +212,15 @@ def parse_options(): if (options.external_cert_file or options.external_ca_file) and options.selfsign: parser.error("--selfsign cannot be used with the external CA options.") + if options.external_ca: + if options.external_cert_file: + parser.error("You cannot specify --external_cert_file together with --external-ca") + if options.external_ca_file: + parser.error("You cannot specify --external_ca_file together with --external-ca") + if ((options.external_cert_file and not options.external_ca_file) or (not options.external_cert_file and options.external_ca_file)): - parser.error("if either external option is used, both are required.") + parser.error("if either external CA option is used, both are required.") if (options.external_ca_file and not os.path.isabs(options.external_ca_file)): parser.error("--external-ca-file must use an absolute path") @@ -503,7 +509,7 @@ def main(): else: standard_logging_setup("/var/log/ipaserver-install.log", options.debug) print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" - if (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()) and not options.external_cert_file: + if not options.external_ca and not options.external_cert_file and (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()): sys.exit("IPA server is already configured on this system.\n" + "If you want to reinstall the IPA server please uninstall it first.") @@ -544,9 +550,26 @@ def main(): return uninstall() + if options.external_ca: + if cainstance.CADSInstance().is_configured(): + print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file." + sys.exit(1) + elif options.external_cert_file: + if not cainstance.CADSInstance().is_configured(): + # This can happen if someone passes external_ca_file without + # already having done the first stage of the CA install. + print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca." + sys.exit(1) + if not ipautil.file_exists(options.external_cert_file): + print "%s does not exist" % options.external_cert_file + sys.exit(1) + if not ipautil.file_exists(options.external_ca_file): + print "%s does not exist" % options.external_ca_file + sys.exit(1) + # This will override any settings passed in on the cmdline if ipautil.file_exists(ANSWER_CACHE): - dm_password = read_dm_password() + dm_password = read_password("Directory Manager", confirm=False) options._update_loose(read_cache(dm_password)) print "==============================================================================" @@ -754,24 +777,12 @@ def main(): # Figure out what state we're in. See cainstance.py for more info on # the 3 states. - if options.external_cert_file is not None and options.external_ca_file is not None: - # These options imply this and this is required to install the CA. - # This is needed otherwise the setup of dogtag will fail. - options.external_ca = True - external = 0 - if options.external_ca: - external = 1 - if external and ipautil.file_exists("/root/ipa.csr"): + if options.external_cert_file: external = 2 - if options.external_cert_file is None or options.external_ca_file is None: - print "You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file" - sys.exit(1); - if external and options.external_cert_file and not ipautil.file_exists(options.external_cert_file): - print "%s does not exist" % options.external_cert_file - sys.exit(1); - if external and options.external_ca_file and not ipautil.file_exists(options.external_ca_file): - print "%s does not exist" % options.external_ca_file - sys.exit(1); + elif options.external_ca: + external = 1 + else: + external = 0 cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) if not cs.is_configured(): @@ -787,18 +798,16 @@ def main(): options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password - options.host_name = host_default + options.host_name = host_name options.unattended = True + options.forwarders = dns_forwarders + options.reverse_zone = reverse_zone write_cache(options) ca.configure_instance(host_name, dm_password, dm_password, csr_file="/root/ipa.csr", subject_base=options.subject) else: # stage 2 of external CA installation - if not ca.is_installed(): - # This can happen if someone passes external_ca_file without - # already having done the first stage of the CA install. - sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.') ca.configure_instance(host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, -- cgit