diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-04-08 10:20:00 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-04-11 13:50:45 +0200 |
commit | e434ef67b305c786c2672629135dcb02f4e4d064 (patch) | |
tree | b0082d871dfdf0436862521b4aee73163abfbc4b | |
parent | 0577091be81dc0fdfc888a91c8bb469c7462ce3d (diff) | |
download | freeipa.git-e434ef67b305c786c2672629135dcb02f4e4d064.tar.gz freeipa.git-e434ef67b305c786c2672629135dcb02f4e4d064.tar.xz freeipa.git-e434ef67b305c786c2672629135dcb02f4e4d064.zip |
Use only one URL for OCSP and CRL in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3552
-rw-r--r-- | ipaserver/install/cainstance.py | 59 |
1 files changed, 14 insertions, 45 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c7452be5..0d856910 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1275,17 +1275,18 @@ class CAInstance(service.Service): changed = False # OCSP extension + ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)) + ocsp_location_0 = installutils.get_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', separator='=') - if not ocsp_location_0: + if ocsp_location_0 != ocsp_url: # Set the first OCSP URI installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - 'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)), - quotes=False, separator='=') + ocsp_url, quotes=False, separator='=') changed = True ocsp_profile_count = installutils.get_directive( @@ -1293,34 +1294,22 @@ class CAInstance(service.Service): 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', separator='=') - if ocsp_profile_count == '1': - # add the second OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1', - 'true', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1', - 'URIName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1', - 'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn), - quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1', - '1.3.6.1.5.5.7.48.1', quotes=False, separator='=') + if ocsp_profile_count != '1': installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '2', quotes=False, separator='=') + '1', quotes=False, separator='=') changed = True # CRL extension - crl_issuer_0 = installutils.get_directive( + crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)) + + crl_point_0 = installutils.get_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', + 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', separator='=') - if not crl_issuer_0: + if crl_point_0 != crl_url: installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') @@ -1329,8 +1318,7 @@ class CAInstance(service.Service): 'DirectoryName', quotes=False, separator='=') installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - 'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)), - quotes=False, separator='=') + crl_url, quotes=False, separator='=') changed = True crl_profile_count = installutils.get_directive( @@ -1338,29 +1326,10 @@ class CAInstance(service.Service): 'policyset.serverCertSet.9.default.params.crlDistPointsNum', separator='=') - if crl_profile_count == '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1', - 'true', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1', - 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn), - quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1', - 'URIName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1', - '', quotes=False, separator='=') + if crl_profile_count != '1': installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '2', quotes=False, separator='=') + '1', quotes=False, separator='=') changed = True # CRL extension is not enabled by default |