Hi,

this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.

Honza

--
Jan Cholasta
>From 629ac8ce5471c9fb92403cfb8b2f1feceae91a0d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 8 Apr 2013 10:20:00 +0200
Subject: [PATCH] Use http instead of https for OCSP and CRL URLs in IPA
 certificate profile.

https://fedorahosted.org/freeipa/ticket/3552
---
 ipaserver/install/cainstance.py | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6bf22db..d1736e0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1271,17 +1271,18 @@ class CAInstance(service.Service):
         changed = False
 
         # OCSP extension
+        ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain))
+
         ocsp_location_0 = installutils.get_directive(
             self.dogtag_constants.IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
             separator='=')
 
-        if not ocsp_location_0:
+        if ocsp_location_0 != ocsp_url:
             # Set the first OCSP URI
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
-                'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)),
-                quotes=False, separator='=')
+                ocsp_url, quotes=False, separator='=')
             changed = True
 
         ocsp_profile_count = installutils.get_directive(
@@ -1311,12 +1312,14 @@ class CAInstance(service.Service):
 
 
         # CRL extension
-        crl_issuer_0 = installutils.get_directive(
+        crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain))
+
+        crl_point_0 = installutils.get_directive(
             self.dogtag_constants.IPA_SERVICE_PROFILE,
-            'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
+            'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
             separator='=')
 
-        if not crl_issuer_0:
+        if crl_point_0 != crl_url:
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
                 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
@@ -1325,10 +1328,11 @@ class CAInstance(service.Service):
                 'DirectoryName', quotes=False, separator='=')
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
-                'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)),
-                quotes=False, separator='=')
+                crl_url, quotes=False, separator='=')
             changed = True
 
+        crl_url = 'http://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn)
+
         crl_profile_count = installutils.get_directive(
             self.dogtag_constants.IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.9.default.params.crlDistPointsNum',
@@ -1346,8 +1350,7 @@ class CAInstance(service.Service):
                 'DirectoryName', quotes=False, separator='=')
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
-                'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn),
-                quotes=False, separator='=')
+                crl_url, quotes=False, separator='=')
             installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                 'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1',
                 'URIName', quotes=False, separator='=')
@@ -1359,6 +1362,17 @@ class CAInstance(service.Service):
                 '2', quotes=False, separator='=')
             changed = True
 
+        crl_point_1 = installutils.get_directive(
+            self.dogtag_constants.IPA_SERVICE_PROFILE,
+            'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
+            separator='=')
+
+        if crl_point_1 != crl_url:
+            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
+                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
+                crl_url, quotes=False, separator='=')
+            changed = True
+
         # CRL extension is not enabled by default
         setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.list', separator='=')
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to