diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-01-03 09:49:48 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-03-01 09:43:41 +0000 |
commit | 6b074ad833a12acbd4643795b2150fa7f019d6b2 (patch) | |
tree | 1de2394d1448440d738e51e05f1d862490e0858f | |
parent | 1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3 (diff) | |
download | freeipa-6b074ad833a12acbd4643795b2150fa7f019d6b2.tar.gz freeipa-6b074ad833a12acbd4643795b2150fa7f019d6b2.tar.xz freeipa-6b074ad833a12acbd4643795b2150fa7f019d6b2.zip |
Move publishing of CA cert to cainstance creation on master
IPAHTTPSConnection which is set up first time in certificate profiles
migration to LDAP requires CA cert to be stored in a file.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 9 |
2 files changed, 9 insertions, 6 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 6cb6e3c94..8f544ec1e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -423,6 +423,8 @@ class CAInstance(DogtagInstance): self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("restarting certificate server", self.restart_instance) if not self.clone: + self.step("publishing the CA certificate", + self.__publish_ca_cert) self.step("adding RA agent as a trusted user", self.__create_ca_agent) self.step("authorizing RA to modify profiles", configure_profiles_acl) self.step("authorizing RA to manage lightweight CAs", @@ -744,6 +746,10 @@ class CAInstance(DogtagInstance): conn.disconnect() + def __publish_ca_cert(self): + db = certs.CertDB(self.realm) + db.publish_ca_cert(paths.IPA_CA_CRT) + def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index dd04624fc..813329372 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -775,14 +775,11 @@ def install(installer): write_cache(cache_vars) # Create RA DB - radb = certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR, - user=IPAAPI_USER, group=IPAAPI_GROUP, - truncate=True) + certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR, + user=IPAAPI_USER, group=IPAAPI_GROUP, + truncate=True) ca.install_step_0(False, None, options) - - # Now put the CA cert where other instances expect it - radb.publish_ca_cert(paths.IPA_CA_CRT) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) |