diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/share/bind.zone.db.template | 3 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 23 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 6 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 14 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 38 |
5 files changed, 70 insertions, 14 deletions
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 157d05e55..5ee71d688 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -24,3 +24,6 @@ _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP + +; CNAME for IPA CA replicas (used for CRL, OCSP) +$IPA_CA_CNAME IN CNAME $HOST diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index aefcee8e5..f8f7e1d5d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -31,17 +31,17 @@ from ipaserver.install import certs from ipaserver.install.installutils import HostnameLocalhost from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info from ipaserver.install.installutils import get_host_name, BadHostError -from ipaserver.install import dsinstance, cainstance +from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version from ipalib import api, util +from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" -CACERT = "/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR = None def parse_options(): @@ -74,6 +74,22 @@ def parse_options(): def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) +def install_dns_records(config, options): + + if not bindinstance.dns_container_exists(config.master_host_name, + ipautil.realm_to_suffix(config.realm_name), + dm_password=config.dirman_password): + return + + bind = bindinstance.BindInstance(dm_password=config.dirman_password) + try: + api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=config.dirman_password) + bind.add_ipa_ca_cname(config.host_name, config.domain_name) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + def main(): safe_options, options, filename = parse_options() @@ -176,6 +192,9 @@ def main(): CA.enable_client_auth_to_db() CA.restart() + # Install CA DNS records + install_dns_records(config, options) + # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index f041c58a8..7d7115cfd 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -247,7 +247,8 @@ def install_bind(config, options): print "Using reverse zone %s" % reverse_zone bind.setup(config.host_name, config.ip_address, config.realm_name, - config.domain_name, forwarders, options.conf_ntp, reverse_zone) + config.domain_name, forwarders, options.conf_ntp, reverse_zone, + ca_configured=options.setup_ca) bind.create_instance() print "" @@ -296,7 +297,8 @@ def install_dns_records(config, options): bind.add_master_dns_records(config.host_name, config.ip_address, config.realm_name, config.domain_name, - reverse_zone, options.conf_ntp) + reverse_zone, options.conf_ntp, + options.setup_ca) def check_dirsrv(): (ds_unsecure, ds_secure) = dsinstance.check_ports() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 92e9dcf2f..306d1e07b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -965,8 +965,8 @@ def main(): ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if external == 0: - ca.configure_instance(host_name, dm_password, dm_password, - subject_base=options.subject) + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) elif external == 1: # stage 1 of external CA installation options.realm_name = realm_name @@ -979,12 +979,13 @@ def main(): options.forwarders = dns_forwarders options.reverse_zone = reverse_zone write_cache(vars(options)) - ca.configure_instance(host_name, dm_password, dm_password, - csr_file="/root/ipa.csr", + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, csr_file="/root/ipa.csr", subject_base=options.subject) else: # stage 2 of external CA installation - ca.configure_instance(host_name, dm_password, dm_password, + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, subject_base=options.subject) @@ -1079,7 +1080,8 @@ def main(): options.conf_ntp, reverse_zone, zonemgr=options.zonemgr, zone_refresh=options.zone_refresh, persistent_search=options.persistent_search, - serial_autoincrement=options.serial_autoincrement) + serial_autoincrement=options.serial_autoincrement, + ca_configured=not options.selfsign) if options.setup_dns: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 12e96cfb7..096d4d649 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ try: from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag + from ipapython.dn import DN from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -47,6 +48,7 @@ try: import pwd import fileinput from ipalib import api + import ipalib.util import ipalib.errors except ImportError: print >> sys.stderr, """\ @@ -307,7 +309,7 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def upgrade_ipa_profile(ca): +def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca): else: root_logger.debug('Subject Key Identifier already set.') audit = ca.set_audit_renewal() - if audit or ski: + uri = ca.set_crl_ocsp_extensions(domain, fqdn) + if audit or ski or uri: return True else: root_logger.info('CA is not configured') @@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True +def add_server_cname_records(): + root_logger.info('[Add missing server CNAME records]') + + if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error("Cannot connect to LDAP to add DNS records: %s", e) + else: + ret = api.Command['dns_is_enabled']() + if not ret['result']: + root_logger.info('DNS is not configured') + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + return + + bind = bindinstance.BindInstance() + # DNS is enabled, so let bindinstance find out if CA is enabled + # and let it add the CNAME in that case + bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + else: + root_logger.info('IPA CA CNAME already processed') + def main(): """ Get some basics about the system. If getting those basics fail then @@ -602,7 +631,7 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - api.bootstrap(context='restart') + api.bootstrap(context='restart', in_server=True) api.finalize() fqdn = find_hostname() @@ -667,13 +696,14 @@ def main(): cleanup_kdc(fstore) setup_firefox_extension(fstore) + add_server_cname_records() changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca) + ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') |