diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-06-05 02:57:48 -0400 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-05 19:12:46 +0200 |
commit | 8b3bc99a737edb9178e115c188d60d963f73e50c (patch) | |
tree | 22a9afe1ed2a78685bbd3c231b73e1c2c1f2e3fd | |
parent | ce33f82cfe528c17d3a1367172bb1475fe169b25 (diff) | |
download | freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.gz freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.xz freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.zip |
Import profiles earlier during install
Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 10 |
3 files changed, 12 insertions, 6 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42225c28c..563a198ab 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -473,6 +473,9 @@ class CAInstance(DogtagInstance): self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) + if not self.clone: + self.step("restarting certificate server", self.restart_instance) + self.step("Importing IPA certificate profiles", import_included_profiles) self.start_creation(runtime=210) @@ -1694,6 +1697,7 @@ def import_included_profiles(): ) conn.add_entry(entry) api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 with api.Backend.ra_certprofile as profile_api: # import the profile try: @@ -1715,6 +1719,7 @@ def import_included_profiles(): except errors.RemoteRetrieveError: pass + api.Backend.ra_certprofile.override_port = None root_logger.info("Imported profile '%s'", profile_id) conn.disconnect() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 955e4cc11..999766d67 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -906,9 +906,6 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) - service.print_msg("Importing certificate profiles") - cainstance.import_included_profiles() - if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e6668bb43..e60cced1a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1973,6 +1973,7 @@ class RestClient(Backend): super(RestClient, self).__init__() # session cookie + self.override_port = None self.cookie = None def _read_password(self): @@ -2007,7 +2008,8 @@ class RestClient(Backend): if self.cookie is not None: return status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2020,7 +2022,8 @@ class RestClient(Backend): def __exit__(self, exc_type, exc_value, traceback): """Log out of the REST API""" dogtag.https_request( - self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/logout', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2046,7 +2049,8 @@ class RestClient(Backend): # perform main request status, status_text, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.env.ca_agent_port, resource, + self.ca_host, self.override_port or self.env.ca_agent_port, + resource, self.sec_dir, self.password, self.ipa_certificate_nickname, method=method, headers=headers, body=body ) |