diff options
author | David Kupka <dkupka@redhat.com> | 2016-02-17 15:18:04 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-26 08:27:44 +0100 |
commit | 431a1a038396d271f680cc4bd4f0bddf617be823 (patch) | |
tree | f8a302ff5c2154aaa9992accc44cc79edd8e31d7 /ipaserver | |
parent | 6b4678170e561ec52e8a9e5d5f68ff1684d7de22 (diff) | |
download | freeipa-431a1a038396d271f680cc4bd4f0bddf617be823.tar.gz freeipa-431a1a038396d271f680cc4bd4f0bddf617be823.tar.xz freeipa-431a1a038396d271f680cc4bd4f0bddf617be823.zip |
dsinstance: add start_tracking_certificates method
Configure certmonger to start tracing certificate for DS.
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/dsinstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 19 |
2 files changed, 24 insertions, 2 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f474e189a..93af0ac0a 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -968,6 +968,13 @@ class DsInstance(service.Service): dsdb = certs.CertDB(self.realm, nssdir=dirname) dsdb.untrack_server_cert(self.nickname) + def start_tracking_certificates(self, serverid): + dirname = config_dirname(serverid)[:-1] + dsdb = certs.CertDB(self.realm, nssdir=dirname) + dsdb.track_server_cert(self.nickname, self.principal, + dsdb.passwd_fname, + 'restart_dirsrv %s' % serverid) + # we could probably move this function into the service.Service # class - it's very generic - all we need is a way to get an # instance of a particular Service diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 7fa200533..f74034aff 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -791,7 +791,8 @@ def named_root_key_include(): sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True) return True -def certificate_renewal_update(ca): + +def certificate_renewal_update(ca, ds): """ Update certmonger certificate renewal configuration. """ @@ -801,6 +802,8 @@ def certificate_renewal_update(ca): else: libpath = 'lib' template = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, '%s') + serverid = installutils.realm_to_serverid(api.env.realm) + dirsrv_dir = dsinstance.config_dirname(serverid) # bump version when requests is changed version = 4 @@ -853,6 +856,15 @@ def certificate_renewal_update(ca): '%s "Server-Cert cert-pki-ca"' % (template % 'renew_ca_cert'), None, ), + ( + dirsrv_dir, + 'Server-Cert', + 'IPA', + None, + '%s %s' % (template % 'restart_dirsrv', serverid), + None, + ), + ) root_logger.info("[Update certmonger certificate renewal configuration to " @@ -888,6 +900,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: ca.stop_tracking_certificates() + ds.stop_tracking_certificates(serverid) if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): @@ -901,6 +914,7 @@ def certificate_renewal_update(ca): ca.configure_renewal() ca.configure_agent_renewal() ca.track_servercert() + ds.start_tracking_certificates(serverid) sysupgrade.set_upgrade_state('dogtag', state, True) root_logger.info("Certmonger certificate renewal configuration updated to " @@ -1517,6 +1531,7 @@ def upgrade_configuration(): ds.fqdn = fqdn ds.realm = api.env.realm ds.suffix = ipautil.realm_to_suffix(api.env.realm) + ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm) ds.ldap_connect() ds_enable_sidgen_extdom_plugins(ds) @@ -1612,7 +1627,7 @@ def upgrade_configuration(): ca_restart, ca_upgrade_schema(ca), upgrade_ca_audit_cert_validity(ca), - certificate_renewal_update(ca), + certificate_renewal_update(ca, ds), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ]) |