This changes the way IPA generates CRLs for new installs only.

The first master installed is configured as the CRL generator. An entry is added to cn=masters that designates it.

When a replica is installed it queries this entry so it knows where to forward CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will return not found). It is possible to get a CRL directly from the clone CA via http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL

rob
>From 0af03629df13a9e1bc210ec2afdb0ef13200b652 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 1 Oct 2012 17:16:00 -0400
Subject: [PATCH] Configure the initial CA as the CRL generator.

Subsequent CA installations will look for cn=CRL in the cn=masters
entry to determine who the CRL generator is and will forward requests
for the CRL to that host.

https://fedorahosted.org/freeipa/ticket/3051
---
 install/tools/ipa-server-install |  1 +
 ipaserver/install/cainstance.py  | 66 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 37d37b81a25c391e6b029b5918d440846a617210..8cf709f769162bee7e77c2b5781444c6defd5b63 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -982,6 +982,7 @@ def main():
     if not options.selfsign:
         ca.ldap_enable('CA', host_name, dm_password,
                        ipautil.realm_to_suffix(realm_name))
+        ca.set_crl_master(ipautil.realm_to_suffix(realm_name))
 
         # Turn on SSL in the dogtag LDAP instance. This will get restarted
         # later, we don't need SSL now.
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index e08df06a840b91c7fe2d4d6dd1ee204a4abaf2f0..2f4da7dc7dd0eb709411b0d0f0d39c0d0e723db9 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -39,6 +39,7 @@ from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
 from ipapython import certmonger
 from ipalib import pkcs10, x509
+from ipalib import errors
 from ipapython.dn import DN
 import subprocess
 
@@ -458,6 +459,7 @@ class CAInstance(service.Service):
         self.cert_file = None
         self.cert_chain_file = None
         self.create_ra_agent_db = True
+        self.crl_master = None
 
         # The same database is used for mod_nss because the NSS context
         # will already have been initialized by Apache by the time
@@ -1213,6 +1215,69 @@ class CAInstance(service.Service):
 
         ipaservices.restore_context(publishdir)
 
+        # If we are the initial master then we are the CRL generator, otherwise
+        # we point to that master for CRLs.
+        if not self.clone:
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.certStatusUpdateInterval', '600', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
+        else:
+            if self.crl_master is not None:
+                installutils.set_directive(caconfig, 'master.ca.agent.host', self.crl_master, quotes=False, separator='=')
+                installutils.set_directive(caconfig, 'master.ca.agent.port', str(self.dogtag_constants.AGENT_SECURE_PORT), quotes=False, separator='=')
+            else:
+                root_logger.warn("There is no CRL generating host defined in cn=masters. CRL requests will not be forwarded.")
+            installutils.set_directive(caconfig, 'ca.certStatusUpdateInterval', '0', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
+
+    def set_crl_master(self, suffix):
+        """
+        Create the entry in cn=masters that distinguishes the CRL generating
+        CA.
+
+        This needs to be done after the 389-ds IPA instance is created.
+        """
+        assert isinstance(suffix, DN)
+        self.ldap_connect()
+
+        entry_name = DN(('cn', 'CRL'), ('cn', self.fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), suffix)
+        entry = ipaldap.Entry(entry_name)
+        entry.setValues("objectclass",
+                        "nsContainer")
+        entry.setValues("cn", "CRL")
+
+        try:
+            self.admin_conn.addEntry(entry)
+        except ldap.ALREADY_EXISTS, e:
+            root_logger.debug("failed to set CA as CRL generator")
+            raise e
+
+    def get_crl_master(self, suffix, master_host, dm_password):
+        """
+        Retrieve the hostname from cn=masters of the host that generates
+        CRLs.
+        """
+        assert isinstance(suffix, DN)
+        try:
+            conn = ipaldap.IPAdmin(master_host, port=389)
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, service.CACERT)
+            conn.start_tls_s()
+            conn.do_simple_bind(bindpw=dm_password)
+        except Exception, e:
+            root_logger.debug("Could not connect to the Directory Server on %s: %s" % (master_host, str(e)))
+            raise e
+
+        dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), suffix)
+        try:
+            entry = conn.getEntry(dn, ldap.SCOPE_SUBTREE, '(cn=CRL)')
+            self.crl_master = entry.dn[1]['cn']
+        except errors.NotFound, e:
+            root_logger.debug("failed to find CA CRL generator")
+            self.crl_master = None
+        finally:
+            conn.unbind()
+
     def __set_subject_in_config(self):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject
@@ -1455,6 +1520,7 @@ def install_replica_ca(config, postinstall=False):
         # If installing this afterward the Apache NSS database already
         # exists, don't remove it.
         ca.create_ra_agent_db = False
+    ca.get_crl_master(ipautil.realm_to_suffix(config.realm_name), config.master_host_name, config.dirman_password)
     ca.configure_instance(config.host_name, config.dirman_password,
                           config.dirman_password, pkcs12_info=(cafile,),
                           master_host=config.master_host_name,
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to