diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-14 13:16:07 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
commit | b5b23e073e59930e4dcf14ea8031c2c0441e6344 (patch) | |
tree | b47b2db85d18c0c89530cea84c6a5e1e2e978cd9 | |
parent | 95768de06fbef78169329af12b29e4d65e4bf157 (diff) | |
download | freeipa-b5b23e073e59930e4dcf14ea8031c2c0441e6344.tar.gz freeipa-b5b23e073e59930e4dcf14ea8031c2c0441e6344.tar.xz freeipa-b5b23e073e59930e4dcf14ea8031c2c0441e6344.zip |
Request PKINIT cert directly from Dogtag API on first master
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/install/krbinstance.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c74fe40fa..5f2a4b1c1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -68,6 +68,7 @@ class KrbInstance(service.Service): self.kdc_password = None self.sub_dict = None self.pkcs12_info = None + self.master_fqdn = None suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') @@ -359,6 +360,18 @@ class KrbInstance(service.Service): certpath = (paths.KDC_CERT, paths.KDC_KEY) try: + prev_helper = None + if self.master_fqdn is None: + ca_args = [ + paths.CERTMONGER_DOGTAG_SUBMIT, + '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, + '--certfile', paths.RA_AGENT_PEM, + '--keyfile', paths.RA_AGENT_KEY, + '--cafile', paths.IPA_CA_CRT, + '--agent-submit' + ] + helper = " ".join(ca_args) + prev_helper = certmonger.modify_ca_helper('IPA', helper) certmonger.request_and_wait_for_cert( certpath, subject, @@ -372,6 +385,9 @@ class KrbInstance(service.Service): if name != 'org.fedorahosted.certmonger.duplicate': root_logger.error("Failed to initiate the request: %s", e) return + finally: + if prev_helper is not None: + certmonger.modify_ca_helper('IPA', prev_helper) # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context |