From 4f76c143d2f2036af02677469c542f563a10158d Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 23 Aug 2012 12:38:45 -0400 Subject: Use Dogtag 10 only when it is available Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846 --- install/conf/ipa-pki-proxy.conf | 14 +++++++------- install/conf/ipa.conf | 6 +++--- install/restart_scripts/renew_ca_cert | 11 +++++------ install/restart_scripts/restart_pkicad | 15 +++++++-------- install/tools/ipa-ca-install | 6 ++++-- install/tools/ipa-csreplica-manage | 3 ++- install/tools/ipa-replica-install | 4 +++- install/tools/ipa-replica-prepare | 5 ++++- install/tools/ipa-server-install | 21 +++++++++++++++------ install/tools/ipa-upgradeconfig | 12 ++++++++++-- install/ui/test/data/ipa_init.json | 6 +++--- 11 files changed, 63 insertions(+), 40 deletions(-) (limited to 'install') diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 7a067ca9c..20c09217a 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 1 - DO NOT REMOVE THIS LINE +# VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -6,22 +6,22 @@ ProxyRequests Off NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT # matches for admin port and installer NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT # matches for agent port and eeca port NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index d428460fe..ed50a35b5 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 7 - DO NOT REMOVE THIS LINE +# VERSION 8 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing -Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish" - +Alias /ipa/crl "$CRL_PUBLISH_PATH" + SetHandler None AllowOverride None Options Indexes FollowSymLinks diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 4c3af9775..5317835fc 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -32,6 +32,7 @@ from ipapython.dn import DN from ipalib import errors from ipapython import services as ipaservices from ipapython import ipautil +from ipapython import dogtag from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config @@ -45,11 +46,9 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -alias_dir = '/etc/pki/pki-tomcat/alias' -dogtag_instance = 'pki-tomcat' -if 'dogtag_version' not in api.env: - alias_dir = '/var/lib/pki-ca/alias' - dogtag_instance = 'pki-ca' +configured_constants = dogtag.configured_constants(api) +alias_dir = configured_constants.ALIAS_DIR +dogtag_instance = configured_constants.PKI_INSTANCE_NAME # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir=alias_dir) @@ -112,5 +111,5 @@ time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index c21fb802f..0b6040a9d 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -22,6 +22,7 @@ import sys import syslog from ipapython import services as ipaservices +from ipapython import dogtag from ipaserver.install import certs from ipalib import api @@ -30,18 +31,16 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -alias_dir = '/etc/pki/pki-tomcat/alias' -dogtag_instance = 'pki-tomcat' -if 'dogtag_version' not in api.env: - alias_dir = '/var/lib/pki-ca/alias' - dogtag_instance = 'pki-ca' +configured_constants = dogtag.configured_constants(api) +alias_dir = configured_constants.ALIAS_DIR +dogtag_instance = configured_constants.PKI_INSTANCE_NAME -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \ +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % (dogtag_instance, nickname)) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir = alias_dir ) + db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -54,5 +53,5 @@ try: ipaservices.knownservices.pki_cad.stop(dogtag_instance) ipaservices.knownservices.pki_cad.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index d52832239..1c1b96a91 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -37,6 +37,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" @@ -156,10 +157,11 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) - #update dogtag version in config file to denote new instance + #update dogtag version in config file try: fd = open("/etc/ipa/default.conf", "a") - fd.write("dogtag_version=10\n") + fd.write( + "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) fd.close() except IOError, e: print "Failed to update /etc/ipa/default.conf" diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 884956fd1..39cfa5851 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -29,6 +29,7 @@ from ipapython import ipautil from ipaserver.install import replication, installutils from ipaserver import ipaldap from ipapython import version +from ipapython import dogtag from ipalib import api, errors, util from ipapython.dn import DN @@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-tomcat' + instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a7b34cf1b..0378827d5 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import services as ipaservices from ipapython.ipa_log_manager import * +from ipapython import dogtag from ipapython.dn import DN log_file_name = "/var/log/ipareplica-install.log" @@ -376,7 +377,8 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index ce25681f4..56f132a38 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError from ipaserver.plugins.ldap2 import ldap2 from ipapython import version +from ipapython import dogtag from ipapython.config import IPAOptionParser from ipalib import api, errors, util from ipapython.dn import DN @@ -304,7 +305,9 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: + if (not certs.ipa_self_signed() and + not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and + not options.dirsrv_pin): sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 639a72701..201e2fb18 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil +from ipapython import dogtag from ipalib import api, errors, util from ipapython.config import IPAOptionParser from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file @@ -465,6 +466,9 @@ def uninstall(): except Exception, e: pass + # Need to get dogtag info before /etc/ipa/default.conf is removed + dogtag_constants = dogtag.configured_constants() + print "Removing IPA client configuration" try: (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False) @@ -477,10 +481,13 @@ def uninstall(): print "ipa-client-install returned: " + str(e) ntpinstance.NTPInstance(fstore).uninstall() - if cainstance.CADSInstance().is_configured(): - cainstance.CADSInstance().uninstall() - if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured(): - cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall() + cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants) + if cads_instance.is_configured(): + cads_instance.uninstall() + ca_instance = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + if ca_instance.is_configured(): + ca_instance.uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -853,7 +860,8 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() @@ -916,7 +924,8 @@ def main(): cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) if not cs.is_configured(): cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, subject_base=options.subject) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3041cb60b..6c0437180 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -29,6 +29,7 @@ try: from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger + from ipapython import dogtag from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -458,7 +459,7 @@ def enable_certificate_renewal(realm): ca.configure_agent_renewal() ca.track_servercert() sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) - ca.restart(cainstance.PKI_INSTANCE_NAME) + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) root_logger.debug('CA subsystem certificate renewal enabled') def main(): @@ -495,7 +496,14 @@ def main(): check_certs() auto_redirect = find_autoredirect(fqdn) - sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'} + configured_constants = dogtag.configured_constants() + sub_dict = dict( + REALM=api.env.realm, + FQDN=fqdn, + AUTOREDIR='' if auto_redirect else '#', + CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, + DOGTAG_PORT=configured_constants.AJP_PORT, + ) upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index bccc31b19..0d94d9b02 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -669,12 +669,12 @@ "result": { "basedn": "dc=dev,dc=example,dc=com", "bin": "/var/www", - "ca_agent_install_port": 8443, + "ca_agent_install_port": 9443, "ca_agent_port": 443, - "ca_ee_install_port": 8443, + "ca_ee_install_port": 9444, "ca_ee_port": 443, "ca_host": "dev.example.com", - "ca_install_port": 8080, + "ca_install_port": 9180, "ca_port": 80, "conf": "/etc/ipa/server.conf", "conf_default": "/etc/ipa/default.conf", -- cgit