Alon Bar-Lev has uploaded a new change for review. Change subject: pki: do not override ca database in packaging ......................................................................
pki: do not override ca database in packaging ca database should be created when CreateCA.sh is executed, not by packaging. As subsequent installations should not override these unless the ca is recreated. serial and database should have actually been in /var/lib, but for now we keep them at /etc. Change-Id: I288864dbfb2908d4159fdbd44724d4674a1f4eee Signed-off-by: Alon Bar-Lev <[email protected]> --- M Makefile M backend/manager/conf/ca/CreateCA.sh D backend/manager/conf/ca/database.txt D backend/manager/conf/ca/serial.txt M packaging/fedora/spec/ovirt-engine.spec.in 5 files changed, 18 insertions(+), 11 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/40/13440/1 diff --git a/Makefile b/Makefile index c8905d9..5ed8aac 100644 --- a/Makefile +++ b/Makefile @@ -318,10 +318,6 @@ install -m 644 backend/manager/conf/ca/cacert.template.in $(DESTDIR)$(PKG_PKI_DIR) install -m 644 backend/manager/conf/ca/cert.template.in $(DESTDIR)$(PKG_PKI_DIR) - # Certificate database: - install -m 644 backend/manager/conf/ca/database.txt $(DESTDIR)$(PKG_PKI_DIR) - install -m 644 backend/manager/conf/ca/serial.txt $(DESTDIR)$(PKG_PKI_DIR) - # Scripts: install -m 755 backend/manager/conf/ca/*.sh $(DESTDIR)$(PKG_PKI_DIR) install -m 644 backend/manager/conf/ca/*.lock $(DESTDIR)$(PKG_PKI_DIR) diff --git a/backend/manager/conf/ca/CreateCA.sh b/backend/manager/conf/ca/CreateCA.sh index 522afa8..d0383cd 100755 --- a/backend/manager/conf/ca/CreateCA.sh +++ b/backend/manager/conf/ca/CreateCA.sh @@ -28,6 +28,18 @@ echo CN = $3 >> cacert.conf cp cert.template cert.conf +# +# openssl ca directory must +# be writable for the user +# as backup files are produced +# so let's assume directory +# is in correct permissions +# +echo 1000 > serial.txt +rm -f database.txt +touch database.txt +chown --reference=. serial.txt database.txt + openssl genrsa -out private/ca.pem 2048 && \ openssl req -new -key private/ca.pem \ -config cacert.conf -out requests/ca.csr && \ diff --git a/backend/manager/conf/ca/database.txt b/backend/manager/conf/ca/database.txt deleted file mode 100644 index e69de29..0000000 --- a/backend/manager/conf/ca/database.txt +++ /dev/null diff --git a/backend/manager/conf/ca/serial.txt b/backend/manager/conf/ca/serial.txt deleted file mode 100644 index a616ad4..0000000 --- a/backend/manager/conf/ca/serial.txt +++ /dev/null @@ -1 +0,0 @@ -01 \ No newline at end of file diff --git a/packaging/fedora/spec/ovirt-engine.spec.in b/packaging/fedora/spec/ovirt-engine.spec.in index 178b288..691ba44 100644 --- a/packaging/fedora/spec/ovirt-engine.spec.in +++ b/packaging/fedora/spec/ovirt-engine.spec.in @@ -354,12 +354,14 @@ %endif # backward compatibly (pre-3.3.0) -# force rpm not to remove pki template files +# force rpm not to remove pki files # as these used to be %config # these files are created empty in order to mark # them as %ghost touch %{buildroot}%{engine_pki}/cacert.template touch %{buildroot}%{engine_pki}/cert.template +touch %{buildroot}%{engine_pki}/database.txt +touch %{buildroot}%{engine_pki}/serial.txt %preun if [ "$1" -eq 0 ] @@ -540,14 +542,12 @@ %config(noreplace) %{engine_pki}/cert.template.in # backward compatibly (pre-3.3.0) -# force rpm not to remove pki template files +# force rpm not to remove pki files # as these used to be %config %ghost %config(noreplace) %{engine_pki}/cacert.template %ghost %config(noreplace) %{engine_pki}/cert.template - -# The certificate database files: -%config(noreplace) %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/database.txt -%config(noreplace) %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/serial.txt +%ghost %config(noreplace) %{engine_pki}/database.txt +%ghost %config(noreplace) %{engine_pki}/serial.txt # Modules: %{engine_jboss_modules} -- To view, visit http://gerrit.ovirt.org/13440 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I288864dbfb2908d4159fdbd44724d4674a1f4eee Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
