diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-09-24 16:31:39 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 08:50:47 +0200 |
commit | 3aa0731fc660ea3d111a44926ab5dea71dc510e7 (patch) | |
tree | c4ce2ba7de1163ce699d7fb65ce19bf30e86aa68 /install | |
parent | 60ecba77cd98f37be0d2c0f69efd307a687e59dc (diff) | |
download | freeipa-3aa0731fc660ea3d111a44926ab5dea71dc510e7.tar.gz freeipa-3aa0731fc660ea3d111a44926ab5dea71dc510e7.tar.xz freeipa-3aa0731fc660ea3d111a44926ab5dea71dc510e7.zip |
External CA installer options usability fixes
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-x | install/tools/ipa-ca-install | 39 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 68 | ||||
-rw-r--r-- | install/tools/man/ipa-ca-install.1 | 3 | ||||
-rw-r--r-- | install/tools/man/ipa-cacert-manage.1 | 5 | ||||
-rw-r--r-- | install/tools/man/ipa-server-install.1 | 11 |
5 files changed, 53 insertions, 73 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 475794bb6..e54af2f59 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -26,9 +26,10 @@ from ipapython import ipautil from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install.installutils import ( - ReplicaConfig, private_ccache, create_replica_config, - validate_external_cert) +from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, + expand_replica_info, read_replica_info, get_host_name, BadHostError, + private_ccache, read_replica_info_dogtag_port, load_external_cert, + create_replica_config, validate_external_cert) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version @@ -65,10 +66,9 @@ def parse_options(): default=False, help="unattended installation never prompts the user") parser.add_option("--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") - parser.add_option("--external_cert_file", dest="external_cert_file", - help="PEM file containing a certificate signed by the external CA") - parser.add_option("--external_ca_file", dest="external_ca_file", - help="PEM file containing the external CA chain") + parser.add_option("--external-cert-file", dest="external_cert_files", + action="append", metavar="FILE", + help="File containing the IPA CA certificate and the external CA certificate chain") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -83,12 +83,9 @@ def parse_options(): filename = None if options.external_ca: - if options.external_cert_file: - parser.error("You cannot specify --external_cert_file " + if options.external_cert_files: + parser.error("You cannot specify --external-cert-file " "together with --external-ca") - if options.external_ca_file: - parser.error("You cannot specify --external_ca_file together " - "with --external-ca") return safe_options, options, filename @@ -242,23 +239,19 @@ def install_master(safe_options, options): if options.external_ca: if cainstance.is_step_one_done(): print ("CA is already installed.\nRun the installer with " - "--external-cert-file and --external-ca-file.") + "--external-cert-file.") sys.exit(1) - elif options.external_cert_file: + elif options.external_cert_files: if not cainstance.is_step_one_done(): print ("CA is not installed yet. To install with an external CA " "is a two-stage process.\nFirst run the installer with " "--external-ca.") sys.exit(1) - try: - validate_external_cert(options.external_cert_file, - options.external_ca_file, subject_base) - except ValueError, e: - print e - sys.exit(1) + external_cert_file, external_ca_file = load_external_cert( + options.external_cert_files, subject_base) - if options.external_cert_file: + if options.external_cert_files: external = 2 elif options.external_ca: external = 1 @@ -308,8 +301,8 @@ def install_master(safe_options, options): else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, - cert_file=options.external_cert_file, - cert_chain_file=options.external_ca_file, + cert_file=external_cert_file.name, + cert_chain_file=external_ca_file.name, subject_base=subject_base) ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index e73a098df..6988b1068 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -38,7 +38,7 @@ import nss.error import base64 import pwd import textwrap -from optparse import OptionGroup, OptionValueError +from optparse import OptionGroup, OptionValueError, SUPPRESS_HELP try: from ipaserver.install import adtrustinstance @@ -204,10 +204,15 @@ def parse_options(): cert_group = OptionGroup(parser, "certificate system options") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") - cert_group.add_option("", "--external_cert_file", dest="external_cert_file", - help="File containing the IPA CA certificate signed by the external CA in PEM format") - cert_group.add_option("", "--external_ca_file", dest="external_ca_file", - help="File containing the external CA certificate chain in PEM format") + cert_group.add_option("--external-cert-file", dest="external_cert_files", + action="append", metavar="FILE", + help="File containing the IPA CA certificate and the external CA certificate chain") + cert_group.add_option("--external_cert_file", dest="external_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--external_ca_file", dest="external_cert_files", + action="append", + help=SUPPRESS_HELP) cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", @@ -321,25 +326,19 @@ def parse_options(): if options.pkinit_pkcs12 and options.pkinit_pin is None: parser.error("You must specify --pkinit_pin with --pkinit_pkcs12") - if (options.external_cert_file or options.external_ca_file) and options.dirsrv_pkcs12: - parser.error( - "PKCS#12 options cannot be used with the external CA options.") + if options.external_cert_files and options.dirsrv_pkcs12: + parser.error("Service certificate file options cannot be used with " + "the external CA options.") if options.external_ca: - if options.external_cert_file: - parser.error("You cannot specify --external_cert_file together with --external-ca") - if options.external_ca_file: - parser.error("You cannot specify --external_ca_file together with --external-ca") + if options.external_cert_files: + parser.error("You cannot specify --external-cert-file " + "together with --external-ca") if options.dirsrv_pkcs12: parser.error("You cannot specify PKCS#12 options together with --external-ca") - if ((options.external_cert_file and not options.external_ca_file) or - (not options.external_cert_file and options.external_ca_file)): - parser.error("if either external CA option is used, both are required.") - - if (options.external_ca_file and not os.path.isabs(options.external_ca_file)): - parser.error("--external-ca-file must use an absolute path") - if (options.external_cert_file and not os.path.isabs(options.external_cert_file)): + if (options.external_cert_files and + any(not os.path.isabs(path) for path in options.external_cert_files)): parser.error("--external-cert-file must use an absolute path") if options.idmax == 0: @@ -393,11 +392,10 @@ def read_cache(dm_password): shutil.rmtree(top_dir) # These are the only ones that may be overridden - for opt in ('external_ca_file', 'external_cert_file'): - try: - del optdict[opt] - except KeyError: - pass + try: + del optdict['external_cert_files'] + except KeyError: + pass return optdict @@ -636,7 +634,7 @@ def main(): else: standard_logging_setup(paths.IPASERVER_INSTALL_LOG, debug=options.debug) print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" - if not options.external_ca and not options.external_cert_file and is_ipa_configured(): + if not options.external_ca and not options.external_cert_files and is_ipa_configured(): installation_cleanup = False sys.exit("IPA server is already configured on this system.\n" + "If you want to reinstall the IPA server, please uninstall " + @@ -729,14 +727,14 @@ def main(): if options.external_ca: if cainstance.is_step_one_done(): print ("CA is already installed.\nRun the installer with " - "--external_cert_file and --external_ca_file.") + "--external-cert-file.") sys.exit(1) if ipautil.file_exists(paths.ROOT_IPA_CSR): print ("CA CSR file %s already exists.\nIn order to continue " "remove the file and run the installer again." % paths.ROOT_IPA_CSR) sys.exit(1) - elif options.external_cert_file: + elif options.external_cert_files: if not cainstance.is_step_one_done(): # This can happen if someone passes external_ca_file without # already having done the first stage of the CA install. @@ -758,13 +756,9 @@ def main(): except Exception, e: sys.exit("Cannot process the cache file: %s" % str(e)) - if options.external_cert_file: - try: - validate_external_cert(options.external_cert_file, - options.external_ca_file, options.subject) - except ValueError, e: - print e - sys.exit(1) + if options.external_cert_files: + external_cert_file, external_ca_file = load_external_cert( + options.external_cert_files, options.subject) # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: @@ -779,7 +773,7 @@ def main(): # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. - if options.external_cert_file: + if options.external_cert_files: external = 2 elif options.external_ca: external = 1 @@ -1119,8 +1113,8 @@ def main(): # stage 2 of external CA installation ca.configure_instance(host_name, domain_name, dm_password, dm_password, - cert_file=options.external_cert_file, - cert_chain_file=options.external_ca_file, + cert_file=external_cert_file.name, + cert_chain_file=external_ca_file.name, subject_base=options.subject, ca_signing_algorithm=options.ca_signing_algorithm) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 2e0b0795a..8f7201c20 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -37,6 +37,9 @@ Directory Manager (existing master) password \fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR Admin user Kerberos password used for connection check .TP +\fB\-\-external\-cert\-file\fR=\fIFILE\fR +File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. +.TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation .TP diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 3006be7fc..1f3778833 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -56,10 +56,7 @@ Sign the renewed certificate by itself. Sign the renewed certificate by external CA. .TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR -PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file. -.TP -\fB\-\-external\-ca\-file\fR=\fIFILE\fR -PEM file containing the external CA chain. +File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR Nickname for the certificate. diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index ecea26db1..92d9ec85a 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -87,15 +87,8 @@ An unattended installation that will never prompt for user input \fB\-\-external\-ca\fR Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP -\fB\-\-external_cert_file\fR=\fIFILE\fR -File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file. -.TP -\fB\-\-external_ca_file\fR=\fIFILE\fR -File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file. - -If the CA certificate chain is in PKCS#7 format you can convert it to PEM using: - - openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE +\fB\-\-external\-cert\-file\fR=\fIFILE\fR +File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR Disables pkinit setup steps |