diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 10:40:20 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 19:24:43 -0400 |
commit | 392097f20673708a684da168aec302da7ccda9a6 (patch) | |
tree | 94406708a2008a6f0367ff0038372a2c1bda23de /ipaserver/install | |
parent | 1dd103bc8c445a1fe4f5ab59a1e6a343a8984305 (diff) | |
download | freeipa.git-392097f20673708a684da168aec302da7ccda9a6.tar.gz freeipa.git-392097f20673708a684da168aec302da7ccda9a6.tar.xz freeipa.git-392097f20673708a684da168aec302da7ccda9a6.zip |
Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
https://fedorahosted.org/freeipa/ticket/3051
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a64fe6f0..aabbba39 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1239,6 +1239,19 @@ class CAInstance(service.Service): 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), quotes=False, separator='=') + # If we are the initial master then we are the CRL generator, otherwise + # we point to that master for CRLs. + if not self.clone: + # These next two are defaults, but I want to be explicit that the + # initial master is the CRL generator. + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=') + else: + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') + def __set_subject_in_config(self): # dogtag ships with an IPA-specific profile that forces a subject # format. We need to update that template with our base subject @@ -1291,7 +1304,11 @@ class CAInstance(service.Service): def __http_proxy(self): template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" - sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT) + sub_dict = dict( + DOGTAG_PORT=self.dogtag_constants.AJP_PORT, + CLONE='' if self.clone else '#', + FQDN=self.fqdn, + ) template = ipautil.template_file(template_filename, sub_dict) with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd: fd.write(template) |