summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-upgradeconfig
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-11-19 10:32:28 -0500
committerRob Crittenden <rcritten@redhat.com>2012-12-07 11:00:17 -0500
commit867f7691e9e8d4dc101d227ca56a94f9b947897f (patch)
treedcd1529b6a530091bdb1f446b34bf71bae3836a9 /install/tools/ipa-upgradeconfig
parent0d836cd6ee9d7b29808cbf36582eed71a5b6a32a (diff)
downloadfreeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.gz
freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.xz
freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.zip
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
Diffstat (limited to 'install/tools/ipa-upgradeconfig')
-rw-r--r--install/tools/ipa-upgradeconfig38
1 files changed, 34 insertions, 4 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 12e96cfb7..096d4d649 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ try:
from ipapython.ipa_log_manager import *
from ipapython import certmonger
from ipapython import dogtag
+ from ipapython.dn import DN
from ipaserver.install import installutils
from ipaserver.install import dsinstance
from ipaserver.install import httpinstance
@@ -47,6 +48,7 @@ try:
import pwd
import fileinput
from ipalib import api
+ import ipalib.util
import ipalib.errors
except ImportError:
print >> sys.stderr, """\
@@ -307,7 +309,7 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
-def upgrade_ipa_profile(ca):
+def upgrade_ipa_profile(ca, domain, fqdn):
"""
Update the IPA Profile provided by dogtag
@@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca):
else:
root_logger.debug('Subject Key Identifier already set.')
audit = ca.set_audit_renewal()
- if audit or ski:
+ uri = ca.set_crl_ocsp_extensions(domain, fqdn)
+ if audit or ski or uri:
return True
else:
root_logger.info('CA is not configured')
@@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca):
'request pki-ca restart')
return True
+def add_server_cname_records():
+ root_logger.info('[Add missing server CNAME records]')
+
+ if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
+ try:
+ api.Backend.ldap2.connect(autobind=True)
+ except ipalib.errors.PublicError, e:
+ root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
+ else:
+ ret = api.Command['dns_is_enabled']()
+ if not ret['result']:
+ root_logger.info('DNS is not configured')
+ sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
+ return
+
+ bind = bindinstance.BindInstance()
+ # DNS is enabled, so let bindinstance find out if CA is enabled
+ # and let it add the CNAME in that case
+ bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
+ sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
+ finally:
+ if api.Backend.ldap2.isconnected():
+ api.Backend.ldap2.disconnect()
+ else:
+ root_logger.info('IPA CA CNAME already processed')
+
def main():
"""
Get some basics about the system. If getting those basics fail then
@@ -602,7 +631,7 @@ def main():
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
- api.bootstrap(context='restart')
+ api.bootstrap(context='restart', in_server=True)
api.finalize()
fqdn = find_hostname()
@@ -667,13 +696,14 @@ def main():
cleanup_kdc(fstore)
setup_firefox_extension(fstore)
+ add_server_cname_records()
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bindinstance.BindInstance(fstore).restart()
- ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
+ ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
if ca_restart:
root_logger.info('pki-ca configuration changed, restart pki-ca')