Use file to store the current CA serial number

No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation

4 files changed, 58 insertions, 16 deletions

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index b39cf224..30568e6e 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -19,6 +19,7 @@
 
 import os, stat, subprocess, re
 import sha
+import errno
 
 from ipa import ipautil
 
@@ -42,7 +43,7 @@ class CertDB(object):
         # responsibility of the caller for now. In the
         # future we might automatically determine this
         # for a given db.
-        self.cur_serial = 1000
+        self.cur_serial = -1
 
         self.cacert_name = "CA certificate"
         self.valid_months = "120"
@@ -57,10 +58,40 @@ class CertDB(object):
         self.uid = mode[stat.ST_UID]
         self.gid = mode[stat.ST_GID]
     
+    def set_serial_from_pkcs12(self):
+        """A CA cert was loaded from a PKCS#12 file. Set up our serial file"""
+
+        self.cur_serial = self.find_cacert_serial()
+        try:
+            f=open("/usr/share/ipa/serial","w")
+            f.write(str(self.cur_serial))
+            f.close()
+        except IOError, e:
+            raise RuntimeError("Unable to increment serial number: %s" % str(e))
+
     def next_serial(self):
-        r = self.cur_serial
-        self.cur_serial += 1
-        return str(r)
+        try:
+            f=open("/usr/share/ipa/serial","r")
+            r = f.readline()
+            self.cur_serial = int(r) + 1
+            f.close()
+        except IOError, e:
+            if e.errno == errno.ENOENT:
+                self.cur_serial = 1000
+                f=open("/usr/share/ipa/serial","w")
+                f.write(str(self.cur_serial))
+                f.close()
+            else:
+                raise RuntimeError("Unable to determine serial number: %s" % str(e))
+
+        try:
+            f=open("/usr/share/ipa/serial","w")
+            f.write(str(self.cur_serial))
+            f.close()
+        except IOError, e:
+            raise RuntimeError("Unable to increment serial number: %s" % str(e))
+
+        return str(self.cur_serial)
 
     def set_perms(self, fname, write=False):
         os.chown(fname, self.uid, self.gid)
@@ -75,7 +106,7 @@ class CertDB(object):
     def run_certutil(self, args, stdin=None):
         new_args = ["/usr/bin/certutil", "-d", self.secdir]
         new_args = new_args + args
-        ipautil.run(new_args, stdin)
+        return ipautil.run(new_args, stdin)
 
     def run_signtool(self, args, stdin=None):
         new_args = ["/usr/bin/signtool", "-d", self.secdir]
@@ -139,6 +170,16 @@ class CertDB(object):
                            "-t", "CT,,C",
                            "-a",
                            "-i", cacert_fname])
+
+    def find_cacert_serial(self):
+        (out,err) = self.run_certutil(["-L", "-n", self.cacert_name])
+        data = out.split('\n')
+        for line in data:
+            x = re.match(r'\s+Serial Number: (\d+) .*', line)
+            if x is not None:
+                return x.group(1)
+
+        raise RuntimeError("Unable to find serial number")
         
     def create_server_cert(self, nickname, name, other_certdb=None):
         cdb = other_certdb
@@ -330,5 +371,3 @@ class CertDB(object):
         sysrestore.backup_file(self.pin_fname)
         sysrestore.backup_file(self.certreq_fname)
         sysrestore.backup_file(self.certder_fname)
-
-        
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 733e5d5b..a320a1be 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -257,10 +257,9 @@ class DsInstance(service.Service):
         ca = certs.CertDB(dirname)
         if self.pkcs12_info:
             ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
-            ca.cur_serial = 2100
         else:
             ca.create_self_signed()
-        ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name)
+            ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name)
 
         conn = ipaldap.IPAdmin("127.0.0.1")
         conn.simple_bind_s("cn=directory manager", self.dm_password)
diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index 12e5ae10..bee77e9f 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -55,10 +55,11 @@ class HTTPInstance(service.Service):
     def __init__(self):
         service.Service.__init__(self, "httpd")
 
-    def create_instance(self, realm, fqdn):
+    def create_instance(self, realm, fqdn, autoconfig=True, pkcs12_info=None):
         self.fqdn = fqdn
         self.realm = realm
         self.domain = fqdn[fqdn.find(".")+1:]
+        self.pkcs12_info = pkcs12_info
         self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
         
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
@@ -66,7 +67,8 @@ class HTTPInstance(service.Service):
         self.step("configuring httpd", self.__configure_http)
         self.step("creating a keytab for httpd", self.__create_http_keytab)
         self.step("Setting up ssl", self.__setup_ssl)
-        self.step("Setting up browser autoconfig", self.__setup_autoconfig)
+        if autoconfig:
+            self.step("Setting up browser autoconfig", self.__setup_autoconfig)
         self.step("configuring SELinux for httpd", self.__selinux_config)
         self.step("restarting httpd", self.__start)
         self.step("configuring httpd to start on boot", self.__enable)
@@ -136,10 +138,12 @@ class HTTPInstance(service.Service):
     def __setup_ssl(self):
         ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
         ca = certs.CertDB(NSS_DIR)
-        ds_ca.cur_serial = 2000
-        ca.create_from_cacert(ds_ca.cacert_fname)
-        ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
-        ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
+        if self.pkcs12_info:
+            ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=False)
+        else:
+            ca.create_from_cacert(ds_ca.cacert_fname)
+            ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
+            ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
 
     def __setup_autoconfig(self):
         prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py
index 765905e5..10addc65 100644
--- a/ipa-server/ipaserver/replication.py
+++ b/ipa-server/ipaserver/replication.py
@@ -279,7 +279,7 @@ class ReplicationManager:
         return haserror
 
     def start_replication(self, other_conn):
-        print "starting replication"
+        print "Starting replication, please wait until this has completed."
         cn, dn = self.agreement_dn(self.conn)
 
         mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')]