diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 10:40:20 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 19:25:09 -0400 |
commit | 755f1d728d4993f58b3e82716785e1658efad5d3 (patch) | |
tree | 794648c831c632a1094481909ac9b98ef1d75753 /install | |
parent | d4878c8b167f4ea3c5a71e913d26215cc872110a (diff) | |
download | freeipa.git-755f1d728d4993f58b3e82716785e1658efad5d3.tar.gz freeipa.git-755f1d728d4993f58b3e82716785e1658efad5d3.tar.xz freeipa.git-755f1d728d4993f58b3e82716785e1658efad5d3.zip |
Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
https://fedorahosted.org/freeipa/ticket/3051
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 5 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 9 |
2 files changed, 12 insertions, 2 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 20c09217..8c4f3a9b 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -3,7 +3,7 @@ ProxyRequests Off # matches for ee port -<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -25,3 +25,6 @@ ProxyRequests Off ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT </LocationMatch> + +# Only enable this on servers that are not generating a CRL +${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3ba6b5c0..38426149 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -603,13 +603,20 @@ def main(): AUTOREDIR='' if auto_redirect else '#', CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, DOGTAG_PORT=configured_constants.AJP_PORT, + CLONE='#' ) + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) # migrate CRL publish dir before the location in ipa.conf is updated - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca_restart = migrate_crl_publish_dir(ca) + if ca.is_configured(): + crl = installutils.get_directive(configured_constants.CS_CFG_PATH, + 'ca.crl.MasterCRL.enableCRLUpdates', + '=') + sub_dict['CLONE']='#' if crl.lower() == 'true' else '' + upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) |