Re: [Freeipa-devel] [PATCH] 35 Fix external CA install

Jan Cholasta Wed, 27 Jul 2011 06:09:02 -0700

On 26.7.2011 19:37, Rob Crittenden wrote:

Jan Cholasta wrote:

This patch contains several small fixes of external CA install.


https://fedorahosted.org/freeipa/ticket/1523


This is a good start at simplifying things but needs a bit more work.
One thing I was bending over backwards for was to handle whatever
options were thrown at us. Here is a situation this does not handle very
gracefully:

# ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt
--external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
CA is not installed yet. To install with an external CA is a two-stage
process.
First run the installer with --external-ca.

rob

Moved the input validation to the beginning of main(), so that theerrors are caught sooner.


Honza

--
Jan Cholasta

>From 0080143430cb5e8a76c8fb02fa9ad0a3a079cda9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 26 Jul 2011 13:21:36 +0200
Subject: [PATCH] Fix external CA install.

ticket 1523
---
 install/tools/ipa-server-install |   59 ++++++++++++++++++++++----------------
 1 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8f8100b..f477412 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -212,9 +212,15 @@ def parse_options():
     if (options.external_cert_file or options.external_ca_file) and options.selfsign:
         parser.error("--selfsign cannot be used with the external CA options.")
 
+    if options.external_ca:
+        if options.external_cert_file:
+            parser.error("You cannot specify --external_cert_file together with --external-ca")
+        if options.external_ca_file:
+            parser.error("You cannot specify --external_ca_file together with --external-ca")
+
     if ((options.external_cert_file and not options.external_ca_file) or
        (not options.external_cert_file and options.external_ca_file)):
-        parser.error("if either external option is used, both are required.")
+        parser.error("if either external CA option is used, both are required.")
 
     if (options.external_ca_file and not os.path.isabs(options.external_ca_file)):
         parser.error("--external-ca-file must use an absolute path")
@@ -503,7 +509,7 @@ def main():
     else:
         standard_logging_setup("/var/log/ipaserver-install.log", options.debug)
         print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
-        if (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()) and not options.external_cert_file:
+        if not options.external_ca and not options.external_cert_file and (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()):
             sys.exit("IPA server is already configured on this system.\n"
                      + "If you want to reinstall the IPA server please uninstall it first.")
 
@@ -544,9 +550,26 @@ def main():
 
         return uninstall()
 
+    if options.external_ca:
+        if cainstance.CADSInstance().is_configured():
+            print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file."
+            sys.exit(1)
+    elif options.external_cert_file:
+        if not cainstance.CADSInstance().is_configured():
+            # This can happen if someone passes external_ca_file without
+            # already having done the first stage of the CA install.
+            print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
+            sys.exit(1)
+        if not ipautil.file_exists(options.external_cert_file):
+            print "%s does not exist" % options.external_cert_file
+            sys.exit(1)
+        if not ipautil.file_exists(options.external_ca_file):
+            print "%s does not exist" % options.external_ca_file
+            sys.exit(1)
+
     # This will override any settings passed in on the cmdline
     if ipautil.file_exists(ANSWER_CACHE):
-        dm_password = read_dm_password()
+        dm_password = read_password("Directory Manager", confirm=False)
         options._update_loose(read_cache(dm_password))
 
     print "=============================================================================="
@@ -754,24 +777,12 @@ def main():
 
         # Figure out what state we're in. See cainstance.py for more info on
         # the 3 states.
-        if options.external_cert_file is not None and options.external_ca_file is not None:
-            # These options imply this and this is required to install the CA.
-            # This is needed otherwise the setup of dogtag will fail.
-            options.external_ca = True
-        external = 0
-        if options.external_ca:
-            external = 1
-        if external and ipautil.file_exists("/root/ipa.csr"):
+        if options.external_cert_file:
             external = 2
-            if options.external_cert_file is None or options.external_ca_file is None:
-                print "You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file"
-                sys.exit(1);
-        if external and options.external_cert_file and not ipautil.file_exists(options.external_cert_file):
-            print "%s does not exist" % options.external_cert_file
-            sys.exit(1);
-        if external and options.external_ca_file and not ipautil.file_exists(options.external_ca_file):
-            print "%s does not exist" % options.external_ca_file
-            sys.exit(1);
+        elif options.external_ca:
+            external = 1
+        else:
+            external = 0
 
         cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
         if not cs.is_configured():
@@ -787,18 +798,16 @@ def main():
             options.master_password = master_password
             options.dm_password = dm_password
             options.admin_password = admin_password
-            options.host_name = host_default
+            options.host_name = host_name
             options.unattended = True
+            options.forwarders = dns_forwarders
+            options.reverse_zone = reverse_zone
             write_cache(options)
             ca.configure_instance(host_name, dm_password, dm_password,
                                   csr_file="/root/ipa.csr",
                                   subject_base=options.subject)
         else:
             # stage 2 of external CA installation
-            if not ca.is_installed():
-                # This can happen if someone passes external_ca_file without
-                # already having done the first stage of the CA install.
-                sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.')
             ca.configure_instance(host_name, dm_password, dm_password,
                                   cert_file=options.external_cert_file,
                                   cert_chain_file=options.external_ca_file,
-- 
1.7.4.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 35 Fix external CA install

Reply via email to