diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 11:25:27 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-10-09 17:51:13 +0200 |
| commit | eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1 (patch) | |
| tree | bfe257a221d8b922723fcc13c572311e0e8f7f8d /install | |
| parent | 96decfea26a1ca977aa81456e46e0590dde1f861 (diff) | |
| download | freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.tar.gz freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.tar.xz freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.zip | |
Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.
https://fedorahosted.org/freeipa/ticket/2951
Diffstat (limited to 'install')
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index cb2164c0c..4ed718a9b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -211,14 +211,15 @@ def upgrade_pki(fstore): This requires enabling SSL renegotiation. """ + configured_constants = dogtag.configured_constants() root_logger.info('[Verifying that CA proxy configuration is correct]') - if not os.path.exists('/etc/pki-ca/CS.cfg'): + if not os.path.exists(configured_constants.CS_CFG_PATH): root_logger.debug('No CA detected in /etc/pki-ca') return http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - if not installutils.get_directive('/etc/pki-ca/CS.cfg', + if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists('/usr/bin/pki-setup-proxy'): ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib' @@ -285,17 +286,24 @@ def cleanup_kdc(fstore): def upgrade_ipa_profile(ca): """ Update the IPA Profile provided by dogtag + + Returns True if restart is needed, False otherwise. """ root_logger.info('[Verifying that CA service certificate profile is updated]') if ca.is_configured(): - if ca.enable_subject_key_identifier(): - root_logger.debug('Subject Key Identifier updated, restarting CA') - ca.restart() + ski = ca.enable_subject_key_identifier() + if ski: + root_logger.debug('Subject Key Identifier updated.') else: root_logger.debug('Subject Key Identifier already set.') + audit = ca.set_audit_renewal() + if audit or ski: + return True else: root_logger.debug('CA is not configured') + return False + def upgrade_httpd_selinux(fstore): """ Update SElinux configuration for httpd instance in the same way as the @@ -609,14 +617,13 @@ def main(): pass cleanup_kdc(fstore) - upgrade_ipa_profile(ca) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - ca_restart = ca_restart or enable_certificate_renewal(ca) + ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') |