On 12/06/2012 04:48 PM, Martin Kosek wrote:
> On 12/06/2012 04:45 PM, Martin Kosek wrote:
>> Modify the default IPA CA certificate profile to include CRL and
>> OCSP extensions which will add URIs to IPA CRL&OCSP to published
>> certificates.
>>
>> Both CRL and OCSP extensions have 2 URIs, one pointing directly to
>> the IPA CA which published the certificate and one to a new CNAME
>> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
>> to all IPA replicas which have CA configured.
>>
>> The new CNAME is added either during new IPA server/replica/CA
>> installation or during upgrade.
>>
>> https://fedorahosted.org/freeipa/ticket/3074
>> https://fedorahosted.org/freeipa/ticket/1431
>>
>> ----
>>
>> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make
>> things working as we want to :-)
>>
>> Martin
>>
> 
> I knew the subject is wrong the moment I clicked the Send button... Sending a
> fixed patch.
> 
> Martin

Found a crash in ipa-replica-install, sending a fixed patch.

Martin

From 5df8d4df782436df3d60b194058a66cf027e33ab Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Mon, 19 Nov 2012 10:32:28 -0500
Subject: [PATCH] Add OCSP and CRL URIs to certificates

Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
---
 install/share/bind.zone.db.template |   3 +
 install/tools/ipa-ca-install        |  23 +++++-
 install/tools/ipa-replica-install   |   6 +-
 install/tools/ipa-server-install    |  14 ++--
 install/tools/ipa-upgradeconfig     |  38 ++++++++-
 ipaserver/install/bindinstance.py   |  62 ++++++++++++---
 ipaserver/install/cainstance.py     | 150 ++++++++++++++++++++++++++++++++----
 7 files changed, 256 insertions(+), 40 deletions(-)

diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
index 157d05e55c3f9a6521f055ae1301cfc4e8037ce6..5ee71d688646e57751dc6bc5562b6eb2f1925c2e 100644
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -24,3 +24,6 @@ _kerberos-master._udp	IN SRV 0 100 88		$HOST
 _kpasswd._tcp		IN SRV 0 100 464	$HOST
 _kpasswd._udp		IN SRV 0 100 464	$HOST
 $OPTIONAL_NTP
+
+; CNAME for IPA CA replicas (used for CRL, OCSP)
+$IPA_CA_CNAME		IN CNAME		$HOST
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index aefcee8e5b903645b42902bb68e92d1e0c850ed8..f8f7e1d5d7ff191505b8068b8e77509085dd0e76 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -31,17 +31,17 @@ from ipaserver.install import certs
 from ipaserver.install.installutils import HostnameLocalhost
 from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
 from ipaserver.install.installutils import get_host_name, BadHostError
-from ipaserver.install import dsinstance, cainstance
+from ipaserver.install import dsinstance, cainstance, bindinstance
 from ipaserver.install.replication import replica_conn_check
 from ipapython import version
 from ipalib import api, util
+from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
 
 log_file_name = "/var/log/ipareplica-ca-install.log"
-CACERT = "/etc/ipa/ca.crt"
 REPLICA_INFO_TOP_DIR = None
 
 def parse_options():
@@ -74,6 +74,22 @@ def parse_options():
 def get_dirman_password():
     return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
 
+def install_dns_records(config, options):
+
+    if not bindinstance.dns_container_exists(config.master_host_name,
+                                             ipautil.realm_to_suffix(config.realm_name),
+                                             dm_password=config.dirman_password):
+        return
+
+    bind = bindinstance.BindInstance(dm_password=config.dirman_password)
+    try:
+        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                                  bind_pw=config.dirman_password)
+        bind.add_ipa_ca_cname(config.host_name, config.domain_name)
+    finally:
+        if api.Backend.ldap2.isconnected():
+             api.Backend.ldap2.disconnect()
+
 def main():
     safe_options, options, filename = parse_options()
 
@@ -176,6 +192,9 @@ def main():
         CA.enable_client_auth_to_db()
         CA.restart()
 
+    # Install CA DNS records
+    install_dns_records(config, options)
+
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index f041c58a8494346d10693bf3ea986305904b8ce7..7d7115cfd2af0dd3131c861a76b81ea7aac0268f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -247,7 +247,8 @@ def install_bind(config, options):
         print "Using reverse zone %s" % reverse_zone
 
     bind.setup(config.host_name, config.ip_address, config.realm_name,
-               config.domain_name, forwarders, options.conf_ntp, reverse_zone)
+               config.domain_name, forwarders, options.conf_ntp, reverse_zone,
+               ca_configured=options.setup_ca)
     bind.create_instance()
 
     print ""
@@ -296,7 +297,8 @@ def install_dns_records(config, options):
 
         bind.add_master_dns_records(config.host_name, config.ip_address,
                                     config.realm_name, config.domain_name,
-                                    reverse_zone, options.conf_ntp)
+                                    reverse_zone, options.conf_ntp,
+                                    options.setup_ca)
 
 def check_dirsrv():
     (ds_unsecure, ds_secure) = dsinstance.check_ports()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 92e9dcf2fb2c4c30f1b4145e7368262f89eac6fd..306d1e07bab9883acb88bb655221811c03e7c386 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -965,8 +965,8 @@ def main():
         ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
             dogtag_constants=dogtag.install_constants)
         if external == 0:
-            ca.configure_instance(host_name, dm_password, dm_password,
-                                  subject_base=options.subject)
+            ca.configure_instance(host_name, domain_name, dm_password,
+                                  dm_password, subject_base=options.subject)
         elif external == 1:
             # stage 1 of external CA installation
             options.realm_name = realm_name
@@ -979,12 +979,13 @@ def main():
             options.forwarders = dns_forwarders
             options.reverse_zone = reverse_zone
             write_cache(vars(options))
-            ca.configure_instance(host_name, dm_password, dm_password,
-                                  csr_file="/root/ipa.csr",
+            ca.configure_instance(host_name, domain_name, dm_password,
+                                  dm_password, csr_file="/root/ipa.csr",
                                   subject_base=options.subject)
         else:
             # stage 2 of external CA installation
-            ca.configure_instance(host_name, dm_password, dm_password,
+            ca.configure_instance(host_name, domain_name, dm_password,
+                                  dm_password,
                                   cert_file=options.external_cert_file,
                                   cert_chain_file=options.external_ca_file,
                                   subject_base=options.subject)
@@ -1079,7 +1080,8 @@ def main():
                options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
                zone_refresh=options.zone_refresh,
                persistent_search=options.persistent_search,
-               serial_autoincrement=options.serial_autoincrement)
+               serial_autoincrement=options.serial_autoincrement,
+               ca_configured=not options.selfsign)
     if options.setup_dns:
         api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
 
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 12e96cfb77786a5ff503975d05876f56c8876111..096d4d64910197191388f5225d6c983bf50217a7 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ try:
     from ipapython.ipa_log_manager import *
     from ipapython import certmonger
     from ipapython import dogtag
+    from ipapython.dn import DN
     from ipaserver.install import installutils
     from ipaserver.install import dsinstance
     from ipaserver.install import httpinstance
@@ -47,6 +48,7 @@ try:
     import pwd
     import fileinput
     from ipalib import api
+    import ipalib.util
     import ipalib.errors
 except ImportError:
     print >> sys.stderr, """\
@@ -307,7 +309,7 @@ def setup_firefox_extension(fstore):
     http.setup_firefox_extension(realm, domain)
 
 
-def upgrade_ipa_profile(ca):
+def upgrade_ipa_profile(ca, domain, fqdn):
     """
     Update the IPA Profile provided by dogtag
 
@@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca):
         else:
             root_logger.debug('Subject Key Identifier already set.')
         audit = ca.set_audit_renewal()
-        if audit or ski:
+        uri = ca.set_crl_ocsp_extensions(domain, fqdn)
+        if audit or ski or uri:
             return True
     else:
         root_logger.info('CA is not configured')
@@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca):
                      'request pki-ca restart')
     return True
 
+def add_server_cname_records():
+    root_logger.info('[Add missing server CNAME records]')
+
+    if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except ipalib.errors.PublicError, e:
+            root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
+        else:
+            ret = api.Command['dns_is_enabled']()
+            if not ret['result']:
+                root_logger.info('DNS is not configured')
+                sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
+                return
+
+            bind = bindinstance.BindInstance()
+            # DNS is enabled, so let bindinstance find out if CA is enabled
+            # and let it add the CNAME in that case
+            bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
+            sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
+        finally:
+            if api.Backend.ldap2.isconnected():
+                 api.Backend.ldap2.disconnect()
+    else:
+        root_logger.info('IPA CA CNAME already processed')
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -602,7 +631,7 @@ def main():
 
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    api.bootstrap(context='restart')
+    api.bootstrap(context='restart', in_server=True)
     api.finalize()
 
     fqdn = find_hostname()
@@ -667,13 +696,14 @@ def main():
 
     cleanup_kdc(fstore)
     setup_firefox_extension(fstore)
+    add_server_cname_records()
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bindinstance.BindInstance(fstore).restart()
-    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
+    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
 
     if ca_restart:
         root_logger.info('pki-ca configuration changed, restart pki-ca')
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 8a77edfa04ac79f84739c9fbbaa864db4a3c70a1..a528320c8129f1ccfcb3837867165f4891362aa1 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -28,6 +28,7 @@ import ldap
 import service
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
+from ipaserver.install.cainstance import IPA_CA_CNAME
 from ipaserver.install.installutils import resolve_host
 from ipapython import sysrestore
 from ipapython import ipautil
@@ -330,7 +331,7 @@ def del_rr(zone, name, type, rdata):
     delkw = { '%srecord' % str(type.lower()) : unicode(rdata) }
     try:
         api.Command.dnsrecord_del(unicode(zone), unicode(name), **delkw)
-    except (errors.NotFound, errors.EmptyModlist):
+    except (errors.NotFound, errors.AttrValueNotFound, errors.EmptyModlist):
         pass
 
 def get_rr(zone, name, type):
@@ -430,7 +431,8 @@ class BindInstance(service.Service):
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
               reverse_zone, named_user="named", zonemgr=None,
-              zone_refresh=0, persistent_search=True, serial_autoincrement=True):
+              zone_refresh=0, persistent_search=True, serial_autoincrement=True,
+              ca_configured=None):
         self.named_user = named_user
         self.fqdn = fqdn
         self.ip_address = ip_address
@@ -444,6 +446,7 @@ class BindInstance(service.Service):
         self.zone_refresh = zone_refresh
         self.persistent_search = persistent_search
         self.serial_autoincrement = serial_autoincrement
+        self.ca_configured = ca_configured
 
         if not zonemgr:
             self.zonemgr = 'hostmaster.%s' % self.domain
@@ -497,6 +500,7 @@ class BindInstance(service.Service):
         if self.reverse_zone is not None:
             self.step("setting up reverse zone", self.__setup_reverse_zone)
         self.step("setting up our own record", self.__add_self)
+        self.step("setting up CA CNAME record", self.__add_ipa_ca_cname)
 
         self.step("setting up kerberos principal", self.__setup_principal)
         self.step("setting up named.conf", self.__setup_named_conf)
@@ -556,6 +560,7 @@ class BindInstance(service.Service):
                              OPTIONAL_NTP=optional_ntp,
                              ZONEMGR=self.zonemgr,
                              ZONE_REFRESH=self.zone_refresh,
+                             IPA_CA_CNAME=IPA_CA_CNAME,
                              PERSISTENT_SEARCH=boolean_var['persistent_search'],
                              SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
 
@@ -582,6 +587,28 @@ class BindInstance(service.Service):
     def __add_self_ns(self):
         add_ns_rr(self.domain, api.env.host, self.dns_backup, force=True)
 
+    def __add_ipa_ca_cname(self):
+        if self.ca_configured is False:
+            root_logger.debug("CA is not configured, skip this step")
+            return
+        elif self.ca_configured is None:
+            # we do not know if CA is configured for this host and we can
+            # add the CA CNAME record. So we need to find out
+            root_logger.debug("Check if CA is enabled for this host")
+            base_dn = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'),
+                         ('cn', 'etc'), api.env.basedn)
+            ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
+            try:
+                api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn)
+            except ipalib.errors.NotFound:
+                # CA is not configured
+                root_logger.debug("CA is not configured")
+                return
+            else:
+                root_logger.debug("CA is configured for this host, continue")
+
+        add_rr(self.domain, IPA_CA_CNAME, "CNAME", self.host_in_rr)
+
     def __add_self(self):
         zone = self.domain
         resource_records = (
@@ -681,7 +708,7 @@ class BindInstance(service.Service):
         resolv_fd.close()
 
     def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
-                               reverse_zone, ntp=False):
+                               reverse_zone, ntp=False, ca_configured=None):
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -690,23 +717,36 @@ class BindInstance(service.Service):
         self.suffix = ipautil.realm_to_suffix(self.realm)
         self.ntp = ntp
         self.reverse_zone = reverse_zone
+        self.ca_configured = ca_configured
 
         self.__add_self()
+        self.__add_ipa_ca_cname()
+
+    def add_ipa_ca_cname(self, fqdn, domain_name, ca_configured=True):
+        self.host = fqdn.split(".")[0]
+        self.fqdn = fqdn
+        self.domain = domain_name
+        self.ca_configured = ca_configured
+        self.__add_ipa_ca_cname()
 
     def remove_master_dns_records(self, fqdn, realm_name, domain_name):
         host = fqdn.split(".")[0]
+        self.host = host
+        self.fqdn = fqdn
+        self.domain = domain_name
         suffix = ipautil.realm_to_suffix(realm_name)
 
         zone = domain_name
         resource_records = (
-            ("_ldap._tcp", "SRV", "0 100 389 %s" % host),
-            ("_kerberos._tcp", "SRV", "0 100 88 %s" % host),
-            ("_kerberos._udp", "SRV", "0 100 88 %s" % host),
-            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % host),
-            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % host),
-            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % host),
-            ("_kpasswd._udp", "SRV", "0 100 464 %s" % host),
-            ("_ntp._udp", "SRV", "0 100 123 %s" % host),
+            ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
+            ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
+            ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
+            ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
+            (IPA_CA_CNAME, "CNAME", self.host_in_rr),
             ("@", "NS", fqdn+"."),
         )
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 418267f6c5349bf98102b36c7c4e8e059a32fce8..dd66b7402d03a3b0cf2964695a8b70e9135d4a65 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -66,6 +66,9 @@ DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
 PKI_USER = "pkiuser"
 PKI_DS_USER = dogtag.install_constants.DS_USER
 
+# When IPA is installed with DNS support, this CNAME should hold all IPA
+# replicas with CA configured
+IPA_CA_CNAME = "ipa-ca"
 
 # We need to reset the template because the CA uses the regular boot
 # information
@@ -497,6 +500,7 @@ class CAInstance(service.Service):
         self.dm_password = None
         self.admin_password = None
         self.fqdn = None
+        self.domain = None
         self.pkcs12_info = None
         self.clone = False
 
@@ -516,7 +520,7 @@ class CAInstance(service.Service):
         self.ra_agent_db = ra_db
         self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
         self.ds_port = DEFAULT_DSPORT
-        self.domain_name = "IPA"
+        self.security_domain_name = "IPA"
         self.server_root = dogtag_constants.SERVER_ROOT
         self.ra_cert = None
         self.requestId = None
@@ -534,7 +538,7 @@ class CAInstance(service.Service):
         return os.path.exists(os.path.join(
             self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME))
 
-    def configure_instance(self, host_name, dm_password,
+    def configure_instance(self, host_name, domain, dm_password,
                            admin_password, ds_port=DEFAULT_DSPORT,
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
@@ -552,6 +556,7 @@ class CAInstance(service.Service):
            csr_file. For step 2 set cert_file and cert_chain_file.
         """
         self.fqdn = host_name
+        self.domain = domain
         self.dm_password = dm_password
         self.admin_password = admin_password
         self.ds_port = ds_port
@@ -596,6 +601,7 @@ class CAInstance(service.Service):
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
+            self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
             self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
             self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
@@ -633,7 +639,7 @@ class CAInstance(service.Service):
             "pki_client_database_password": self.admin_password,
             "pki_client_database_purge": "False",
             "pki_client_pkcs12_password": self.admin_password,
-            "pki_security_domain_name": self.domain_name,
+            "pki_security_domain_name": self.security_domain_name,
             "pki_admin_name":  "admin",
             "pki_admin_uid":  "admin",
             "pki_admin_email":  "root@localhost",
@@ -800,7 +806,7 @@ class CAInstance(service.Service):
                     "-client_certdb_dir", self.ca_agent_db,
                     "-client_certdb_pwd", self.admin_password,
                     "-preop_pin" , preop_pin,
-                    "-domain_name", self.domain_name,
+                    "-domain_name", self.security_domain_name,
                     "-admin_user", "admin",
                     "-admin_email",  "root@localhost",
                     "-admin_password", self.admin_password,
@@ -1239,6 +1245,124 @@ class CAInstance(service.Service):
 
         return publishdir
 
+    def __set_crl_ocsp_extensions(self):
+        self.set_crl_ocsp_extensions(self.domain, self.fqdn)
+
+    def set_crl_ocsp_extensions(self, domain, fqdn):
+        """
+        Configure CRL and OCSP extensions in default IPA certificate profile
+        if not done already.
+        """
+        changed = False
+
+        # OCSP extension
+        ocsp_location_0 = installutils.get_directive(
+            self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
+            separator='=')
+
+        if not ocsp_location_0:
+            # Set the first OCSP URI
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
+                'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)),
+                quotes=False, separator='=')
+            changed = True
+
+        ocsp_profile_count = installutils.get_directive(
+            self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
+            separator='=')
+
+        if ocsp_profile_count == '1':
+            # add the second OCSP URI
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1',
+                'true', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1',
+                'URIName', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1',
+                'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn),
+                quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1',
+                '1.3.6.1.5.5.7.48.1', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
+                '2', quotes=False, separator='=')
+            changed = True
+
+
+        # CRL extension
+        crl_issuer_0 = installutils.get_directive(
+            self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
+            separator='=')
+
+        if not crl_issuer_0:
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
+                'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0',
+                'DirectoryName', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
+                'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)),
+                quotes=False, separator='=')
+            changed = True
+
+        crl_profile_count = installutils.get_directive(
+            self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.9.default.params.crlDistPointsNum',
+            separator='=')
+
+        if crl_profile_count == '1':
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1',
+                'true', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1',
+                'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1',
+                'DirectoryName', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
+                'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn),
+                quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1',
+                'URIName', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1',
+                '', quotes=False, separator='=')
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsNum',
+                '2', quotes=False, separator='=')
+            changed = True
+
+        # CRL extension is not enabled by default
+        setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.list', separator='=')
+        new_set_list = None
+
+        if setlist == '1,2,3,4,5,6,7,8':
+            new_set_list = '1,2,3,4,5,6,7,8,10'
+        elif setlist == '1,2,3,4,5,6,7,8,10':
+            new_set_list = '1,2,3,4,5,6,7,8,9,10'
+
+        if new_set_list:
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.list',
+                new_set_list, quotes=False, separator='=')
+            changed = True
+
+        return changed
+
+
     def __enable_crl_publish(self):
         """
         Enable file-based CRL publishing and disable LDAP publishing.
@@ -1279,12 +1403,6 @@ class CAInstance(service.Service):
         installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
         installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
 
-        # Fix the CRL URI in the profile
-        installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
-            'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
-            'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
-            quotes=False, separator='=')
-
         # If we are the initial master then we are the CRL generator, otherwise
         # we point to that master for CRLs.
         if not self.clone:
@@ -1484,11 +1602,12 @@ class CAInstance(service.Service):
 
         # this is the default setting from pki-ca/pki-tomcat. Don't touch it
         # if a user has manually modified it.
-        if setlist == '1,2,3,4,5,6,7,8':
+        if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9':
+            setlist = setlist + ',10'
             installutils.set_directive(
                 self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.list',
-                '1,2,3,4,5,6,7,8,10',
+                setlist,
                 quotes=False, separator='=')
             installutils.set_directive(
                 self.dogtag_constants.IPA_SERVICE_PROFILE,
@@ -1676,8 +1795,9 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
         # If installing this afterward the Apache NSS database already
         # exists, don't remove it.
         ca.create_ra_agent_db = False
-    ca.configure_instance(config.host_name, config.dirman_password,
-                          config.dirman_password, pkcs12_info=(cafile,),
+    ca.configure_instance(config.host_name, config.domain_name,
+                          config.dirman_password, config.dirman_password,
+                          pkcs12_info=(cafile,),
                           master_host=config.master_host_name,
                           master_replication_port=master_ds_port,
                           subject_base=config.subject_base)
@@ -1740,4 +1860,4 @@ if __name__ == "__main__":
         ds = dsinstance.DsInstance()
 
     ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
-    ca.configure_instance("catest.example.com", "password", "password")
+    ca.configure_instance("catest.example.com", "example.com", "password", "password")
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to