summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraser Tweedale <ftweedal@redhat.com>2015-06-05 02:57:48 -0400
committerPetr Vobornik <pvoborni@redhat.com>2015-06-05 19:12:46 +0200
commit8b3bc99a737edb9178e115c188d60d963f73e50c (patch)
tree22a9afe1ed2a78685bbd3c231b73e1c2c1f2e3fd
parentce33f82cfe528c17d3a1367172bb1475fe169b25 (diff)
downloadfreeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.gz
freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.tar.xz
freeipa-8b3bc99a737edb9178e115c188d60d963f73e50c.zip
Import profiles earlier during install
Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
-rw-r--r--ipaserver/install/cainstance.py5
-rw-r--r--ipaserver/install/server/install.py3
-rw-r--r--ipaserver/plugins/dogtag.py10
3 files changed, 12 insertions, 6 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 42225c28c..563a198ab 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -473,6 +473,9 @@ class CAInstance(DogtagInstance):
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
+ if not self.clone:
+ self.step("restarting certificate server", self.restart_instance)
+ self.step("Importing IPA certificate profiles", import_included_profiles)
self.start_creation(runtime=210)
@@ -1694,6 +1697,7 @@ def import_included_profiles():
)
conn.add_entry(entry)
api.Backend.ra_certprofile._read_password()
+ api.Backend.ra_certprofile.override_port = 8443
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@@ -1715,6 +1719,7 @@ def import_included_profiles():
except errors.RemoteRetrieveError:
pass
+ api.Backend.ra_certprofile.override_port = None
root_logger.info("Imported profile '%s'", profile_id)
conn.disconnect()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 955e4cc11..999766d67 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -906,9 +906,6 @@ def install(options):
service.print_msg("Restarting the certificate server")
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
- service.print_msg("Importing certificate profiles")
- cainstance.import_included_profiles()
-
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
dns.install(False, False, options)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e6668bb43..e60cced1a 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1973,6 +1973,7 @@ class RestClient(Backend):
super(RestClient, self).__init__()
# session cookie
+ self.override_port = None
self.cookie = None
def _read_password(self):
@@ -2007,7 +2008,8 @@ class RestClient(Backend):
if self.cookie is not None:
return
status, status_text, resp_headers, resp_body = dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login',
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ '/ca/rest/account/login',
self.sec_dir, self.password, self.ipa_certificate_nickname,
method='GET'
)
@@ -2020,7 +2022,8 @@ class RestClient(Backend):
def __exit__(self, exc_type, exc_value, traceback):
"""Log out of the REST API"""
dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout',
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ '/ca/rest/account/logout',
self.sec_dir, self.password, self.ipa_certificate_nickname,
method='GET'
)
@@ -2046,7 +2049,8 @@ class RestClient(Backend):
# perform main request
status, status_text, resp_headers, resp_body = dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, resource,
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ resource,
self.sec_dir, self.password, self.ipa_certificate_nickname,
method=method, headers=headers, body=body
)