This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.
https://fedorahosted.org/freeipa/ticket/3151
The same options are in ipa-replica-prepare. I think we should leave
those be, so people with existing servers with custom certs can install
replicas.
--
PetrĀ³
From 664fdd8278144caecb756acda0e6a92db40d4898 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 22 Feb 2013 09:55:05 -0500
Subject: [PATCH] Remove option to use custom SSL certificates from
ipa-server-install
Remove the --{dirsrv,http,pkinit}-{pkcs12,pin} options and code that
handles them.
https://fedorahosted.org/freeipa/ticket/3151
---
install/tools/ipa-server-install | 111 +++++++------------------------------
1 files changed, 21 insertions(+), 90 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..3ce139e6cfb66d9d17329a36c90756d448914d0c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -70,7 +70,6 @@ from ipapython.dn import DN
import ipaclient.ntpconf
-pw_name = None
uninstalling = False
installation_cleanup = True
@@ -168,18 +167,6 @@ def parse_options():
help="File containing PKCS#10 of the external CA chain")
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
- cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
- help="PKCS#12 file containing the Directory Server SSL certificate")
- cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
- help="PKCS#12 file containing the Apache Server SSL certificate")
- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- help="PKCS#12 file containing the Kerberos KDC SSL certificate")
- cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
- help="The password of the Directory Server PKCS#12 file")
- cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
- help="The password of the Apache Server PKCS#12 file")
- cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
- help="The password of the Kerberos KDC PKCS#12 file")
cert_group.add_option("--subject", action="callback", callback=subject_callback,
type="string",
help="The certificate subject base (default O=<realm-name>)")
@@ -270,14 +257,6 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
- # If any of the PKCS#12 options are selected, all are required. Create a
- # list of the options and count it to enforce that all are required without
- # having a huge set of it blocks.
- pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
- cnt = pkcs12.count(None)
- if cnt > 0 and cnt < 4:
- parser.error("All PKCS#12 options are required if any are used.")
-
if (options.external_cert_file or options.external_ca_file) and options.selfsign:
parser.error("--selfsign cannot be used with the external CA options.")
@@ -304,7 +283,7 @@ def parse_options():
(options.idmax, options.idstart))
#Automatically disable pkinit w/ dogtag until that is supported
- if not options.pkinit_pkcs12 and not options.selfsign:
+ if not options.selfsign:
options.setup_pkinit = False
if options.zone_refresh < 0:
@@ -561,7 +540,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
def main():
global ds
- global pw_name
global uninstalling
global installation_cleanup
ds = None
@@ -931,26 +909,11 @@ def main():
# Create a directory server instance
ds = dsinstance.DsInstance(fstore=fstore)
- if options.dirsrv_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.dirsrv_pin)
- os.close(pw_fd)
-
- if options.dirsrv_pkcs12:
- pkcs12_info = (options.dirsrv_pkcs12, pw_name)
- try:
- ds.create_instance(realm_name, host_name, domain_name,
- dm_password, pkcs12_info,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
- finally:
- os.remove(pw_name)
- else:
- ds.create_instance(realm_name, host_name, domain_name,
- dm_password, self_signed_ca=options.selfsign,
- idstart=options.idstart, idmax=options.idmax,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
+ ds.create_instance(realm_name, host_name, domain_name,
+ dm_password, self_signed_ca=options.selfsign,
+ idstart=options.idstart, idmax=options.idmax,
+ subject_base=options.subject,
+ hbac_allow=not options.hbac_allow)
if options.selfsign:
ca = certs.CertDB(realm_name, host_name=host_name,
@@ -1034,50 +997,27 @@ def main():
ds.upload_ca_cert()
# Create a kerberos instance
- if options.pkinit_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.dirsrv_pin)
- os.close(pw_fd)
-
krb = krbinstance.KrbInstance(fstore)
- if options.pkinit_pkcs12:
- pkcs12_info = (options.pkinit_pkcs12, pw_name)
- krb.create_instance(realm_name, host_name, domain_name,
- dm_password, master_password,
- setup_pkinit=options.setup_pkinit,
- pkcs12_info=pkcs12_info,
- subject_base=options.subject)
- else:
- krb.create_instance(realm_name, host_name, domain_name,
- dm_password, master_password,
- setup_pkinit=options.setup_pkinit,
- self_signed_ca=options.selfsign,
- subject_base=options.subject)
-
- if options.pkinit_pin:
- os.remove(pw_name)
+ krb.create_instance(realm_name, host_name, domain_name,
+ dm_password, master_password,
+ setup_pkinit=options.setup_pkinit,
+ self_signed_ca=options.selfsign,
+ subject_base=options.subject)
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
# Create a HTTP instance
- if options.http_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.http_pin)
- os.close(pw_fd)
-
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name))
http = httpinstance.HTTPInstance(fstore)
- if options.http_pkcs12:
- pkcs12_info = (options.http_pkcs12, pw_name)
- http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
- os.remove(pw_name)
- else:
- http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
+ http.create_instance(
+ realm_name, host_name, domain_name, dm_password, autoconfig=True,
+ self_signed_ca=options.selfsign, subject_base=options.subject,
+ auto_redirect=options.ui_redirect)
ipaservices.restore_context("/var/cache/ipa/sessions")
set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject)
@@ -1165,19 +1105,13 @@ def main():
print "\t and servers for correct operation. You should consider enabling ntpd."
print ""
- if options.http_pkcs12:
- print "In order for Firefox autoconfiguration to work you will need to"
- print "use a SSL signing certificate. See the IPA documentation for more details."
- print "You also need to install a PEM copy of the CA certificate into"
- print "/usr/share/ipa/html/ca.crt"
+ if options.selfsign:
+ print "Be sure to back up the CA certificate stored in /etc/httpd/alias/cacert.p12"
+ print "The password for this file is in /etc/httpd/alias/pwdfile.txt"
else:
- if options.selfsign:
- print "Be sure to back up the CA certificate stored in /etc/httpd/alias/cacert.p12"
- print "The password for this file is in /etc/httpd/alias/pwdfile.txt"
- else:
- print "Be sure to back up the CA certificate stored in /root/cacert.p12"
- print "This file is required to create replicas. The password for this"
- print "file is the Directory Manager password"
+ print "Be sure to back up the CA certificate stored in /root/cacert.p12"
+ print "This file is required to create replicas. The password for this"
+ print "file is the Directory Manager password"
if ipautil.file_exists(ANSWER_CACHE):
os.remove(ANSWER_CACHE)
@@ -1199,9 +1133,6 @@ if __name__ == '__main__':
success = True
finally:
- if pw_name and ipautil.file_exists(pw_name):
- os.remove(pw_name)
-
if not success and installation_cleanup:
# Do a cautious clean up as we don't know what failed and what is
# the state of the environment
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
