diff options
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 23 |
2 files changed, 27 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c741a7ef6..8be4e1f86 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -460,6 +460,10 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) config.set("CA", "pki_profiles_in_ldap", "True") + config.set("CA", "pki_default_ocsp_uri", + "http://{}.{}/ca/ocsp".format( + ipalib.constants.IPA_CA_RECORD, + ipautil.format_netloc(api.env.domain))) # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index b4b6243ac..3955a8cb9 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -356,6 +356,28 @@ def ca_ensure_lightweight_cas_container(ca): return cainstance.ensure_lightweight_cas_container() +def ca_add_default_ocsp_uri(ca): + root_logger.info('[Adding default OCSP URI configuration]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + value = installutils.get_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + separator='=') + if value: + return False # already set; restart not needed + + installutils.set_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + 'http://ipa-ca.%s/ca/ocsp' % ipautil.format_netloc(api.env.domain), + quotes=False, + separator='=') + return True # restart needed + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1725,6 +1747,7 @@ def upgrade_configuration(): ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), + ca_add_default_ocsp_uri(ca), ]) if ca_restart: |