diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-27 15:49:30 +1000 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-28 19:15:35 +0200 |
commit | 45daffa22fcc6c481a8302f1947a5e0ded0b3eb8 (patch) | |
tree | 4f2358c77d91ee0369c094523f235421d90a1cee /ipaserver/install/cainstance.py | |
parent | 5693d195501611c6abe9dbdf1370b898ffa6b3c7 (diff) | |
download | freeipa-45daffa22fcc6c481a8302f1947a5e0ded0b3eb8.tar.gz freeipa-45daffa22fcc6c481a8302f1947a5e0ded0b3eb8.tar.xz freeipa-45daffa22fcc6c481a8302f1947a5e0ded0b3eb8.zip |
Set default OCSP URI on install and upgrade
Dogtag has been updated to support a default OCSP URI when the
profile includes AuthInfoAccess with URI method but does not specify
the URI (instead of constructing one based on Dogtag's hostname and
port).
Add the pkispawn config to ensure that the OCSP URI is set before
issuing CA and system certificates, and add the config to existing
CA instances on upgrade.
Fixes: https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c741a7ef6..8be4e1f86 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -460,6 +460,10 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) config.set("CA", "pki_profiles_in_ldap", "True") + config.set("CA", "pki_default_ocsp_uri", + "http://{}.{}/ca/ocsp".format( + ipalib.constants.IPA_CA_RECORD, + ipautil.format_netloc(api.env.domain))) # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) |