diff options
author | Petr Viktorin <pviktori@redhat.com> | 2013-03-26 18:06:50 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-04-15 16:55:27 -0400 |
commit | 4e3c1051d029363a099312eac48f337244a5610c (patch) | |
tree | 81574e96640ac9743ab7088af724233944d9cb62 | |
parent | fe00788bb439d461e1429ffbd94e42d615e2ddf9 (diff) | |
download | freeipa.git-4e3c1051d029363a099312eac48f337244a5610c.tar.gz freeipa.git-4e3c1051d029363a099312eac48f337244a5610c.tar.xz freeipa.git-4e3c1051d029363a099312eac48f337244a5610c.zip |
Uninstall selfsign CA on upgrade
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
-rw-r--r-- | install/tools/ipa-upgradeconfig | 25 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 16 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/service.py | 3 |
4 files changed, 43 insertions, 8 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index dbbffe32..8ae54894 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -29,6 +29,7 @@ import os import shutil import pwd import fileinput +import ConfigParser from ipalib import api import ipalib.util @@ -757,6 +758,25 @@ def add_ca_dns_records(): sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) +def uninstall_selfsign(ds, http): + root_logger.info('[Removing self-signed CA]') + """Replace self-signed CA by a CA-less install""" + if api.env.ra_plugin != 'selfsign': + root_logger.debug('Self-signed CA is not installed') + return + + root_logger.warning( + 'Removing self-signed CA. Certificates will need to managed manually.') + p = ConfigParser.SafeConfigParser() + p.read('/etc/ipa/default.conf') + p.set('global', 'enable_ra', 'False') + p.set('global', 'ra_plugin', 'none') + with open('/etc/ipa/default.conf', 'w') as f: + p.write(f) + + ds.stop_tracking_certificates() + http.stop_tracking_certificates() + def main(): """ Get some basics about the system. If getting those basics fail then @@ -834,6 +854,10 @@ def main(): http.remove_httpd_ccache() http.configure_selinux_for_httpd() + ds = dsinstance.DsInstance() + + uninstall_selfsign(ds, http) + memcache = memcacheinstance.MemcacheInstance() memcache.ldapi = True memcache.realm = api.env.realm @@ -841,7 +865,6 @@ def main(): if not memcache.is_configured(): # 389-ds needs to be running to create the memcache instance # because we record the new service in cn=masters. - ds = dsinstance.DsInstance() ds.start() memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm)) except ipalib.errors.DuplicateEntry: diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index be629b19..4b0c580a 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -709,11 +709,7 @@ class DsInstance(service.Service): serverid = self.restore_state("serverid") if not serverid is None: - # drop the trailing / off the config_dirname so the directory - # will match what is in certmonger - dirname = config_dirname(serverid)[:-1] - dsdb = certs.CertDB(self.realm_name, nssdir=dirname) - dsdb.untrack_server_cert(self.nickname) + self.stop_tracking_certificates(serverid) erase_ds_instance_data(serverid) # At one time we removed this user on uninstall. That can potentially @@ -735,6 +731,16 @@ class DsInstance(service.Service): except Exception, e: root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e) + def stop_tracking_certificates(self, serverid=None): + if serverid is None: + serverid = self.get_state("serverid") + if not serverid is None: + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = config_dirname(serverid)[:-1] + dsdb = certs.CertDB(self.realm_name, nssdir=dirname) + dsdb.untrack_server_cert(self.nickname) + # we could probably move this function into the service.Service # class - it's very generic - all we need is a way to get an # instance of a particular Service diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index c3407354..e134fbef 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -376,8 +376,7 @@ class HTTPInstance(service.Service): if not running is None: self.stop() - db = certs.CertDB(api.env.realm) - db.untrack_server_cert(self.cert_nickname) + self.stop_tracking_certificates() if not enabled is None and not enabled: self.disable() @@ -404,3 +403,7 @@ class HTTPInstance(service.Service): if not running is None and running: self.start() + + def stop_tracking_certificates(self): + db = certs.CertDB(api.env.realm) + db.untrack_server_cert(self.cert_nickname) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 83ade903..8f4a7dbb 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -292,6 +292,9 @@ class Service(object): def restore_state(self, key): return self.sstore.restore_state(self.service_name, key) + def get_state(self, key): + return self.sstore.get_state(self.service_name, key) + def print_msg(self, message): print_msg(message, self.output_fd) |