Upgrading from a system that had an earlier version of IPA to the current is broken right now, due to the fact that the new code expects to talk to the Certificate Authority (CA) via the proxy ports (80, 443), and the old code used non standard ports (above 8000).

IPA needs to make two changes during upgrade. I'm trying to figure out the right place to make them.

The first change is to /etc/httpd/conf.d/nss.conf. The function to make the change during install is:

 ipaserver/install/httpinstance.py     self.__enable_mod_nss_renegotiate

which just makes these two method calls.

installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)

Seems to me that they should be added to install/tools/ipa-upgradeconfig, possibly the main, or a function called from it. Should I move the call enable_mod_nss_renegotiate into installutils and call it from both places instead of having it in httpinstance?

The other change is a little trickier. If the PKI server has not yet had the proxy enabled, we need to run the script pki-setup-proxy. To test if we should call that script, Ade and I have agreed that the best way is to test in CS.conf for changes made: The values proxy.securePort and proxy.unsecurePort should be set. Is there an appropriate tool for making this check? someting from installutils? I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?

Freeipa-devel mailing list

Reply via email to