diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-11-19 10:32:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-12-07 11:00:17 -0500 |
| commit | 867f7691e9e8d4dc101d227ca56a94f9b947897f (patch) | |
| tree | dcd1529b6a530091bdb1f446b34bf71bae3836a9 /install/tools/ipa-upgradeconfig | |
| parent | 0d836cd6ee9d7b29808cbf36582eed71a5b6a32a (diff) | |
| download | freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.gz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.xz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.zip | |
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
Diffstat (limited to 'install/tools/ipa-upgradeconfig')
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 12e96cfb..096d4d64 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ try: from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag + from ipapython.dn import DN from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -47,6 +48,7 @@ try: import pwd import fileinput from ipalib import api + import ipalib.util import ipalib.errors except ImportError: print >> sys.stderr, """\ @@ -307,7 +309,7 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def upgrade_ipa_profile(ca): +def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca): else: root_logger.debug('Subject Key Identifier already set.') audit = ca.set_audit_renewal() - if audit or ski: + uri = ca.set_crl_ocsp_extensions(domain, fqdn) + if audit or ski or uri: return True else: root_logger.info('CA is not configured') @@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True +def add_server_cname_records(): + root_logger.info('[Add missing server CNAME records]') + + if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error("Cannot connect to LDAP to add DNS records: %s", e) + else: + ret = api.Command['dns_is_enabled']() + if not ret['result']: + root_logger.info('DNS is not configured') + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + return + + bind = bindinstance.BindInstance() + # DNS is enabled, so let bindinstance find out if CA is enabled + # and let it add the CNAME in that case + bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + else: + root_logger.info('IPA CA CNAME already processed') + def main(): """ Get some basics about the system. If getting those basics fail then @@ -602,7 +631,7 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - api.bootstrap(context='restart') + api.bootstrap(context='restart', in_server=True) api.finalize() fqdn = find_hostname() @@ -667,13 +696,14 @@ def main(): cleanup_kdc(fstore) setup_firefox_extension(fstore) + add_server_cname_records() changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca) + ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') |