Patches 16 and 17 fix regressions in the default profile.

Patch 18 fixes the `ipa-replica-install --setup-ca' breakage.

Cheers,
Fraser
From bc2b1d729c50dc1ae88a5e5709f655ea2f5ecd66 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 4 Jun 2015 22:49:01 -0400
Subject: [PATCH 16/18] Fix certificate subject base

Profile management patches introduced a regression where a custom
certificate subject base (if configured) is not used in the default
profile.  Use the configured subject base.

Part of: https://fedorahosted.org/freeipa/ticket/4002
---
 ipaserver/install/cainstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
ca0b6df5db80bc842a78f614872831ddd82330b1..42225c28c8201bbae8ac0e46f7791a7f6ed3d158
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1665,7 +1665,7 @@ def import_included_profiles():
         DOMAIN=ipautil.format_netloc(api.env.domain),
         IPA_CA_RECORD=IPA_CA_RECORD,
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
-        SUBJECT_DN_O=str(DN(('O', api.env.realm))),
+        SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
     )
 
     server_id = installutils.realm_to_serverid(api.env.realm)
-- 
2.1.0

From dcf1531b109a0ebacb060be4b443df013957c56e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 5 Jun 2015 02:57:48 -0400
Subject: [PATCH 17/18] Import profiles earlier during install

Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions.  Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.

Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.

Part of: https://fedorahosted.org/freeipa/ticket/4002
---
 ipaserver/install/cainstance.py     |  5 +++++
 ipaserver/install/server/install.py |  3 ---
 ipaserver/plugins/dogtag.py         | 10 +++++++---
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -473,6 +473,9 @@ class CAInstance(DogtagInstance):
             self.step("configure Server-Cert certificate renewal", 
self.track_servercert)
             self.step("Configure HTTP to proxy connections",
                       self.http_proxy)
+            if not self.clone:
+                self.step("restarting certificate server", 
self.restart_instance)
+                self.step("Importing IPA certificate profiles", 
import_included_profiles)
 
         self.start_creation(runtime=210)
 
@@ -1694,6 +1697,7 @@ def import_included_profiles():
             )
             conn.add_entry(entry)
             api.Backend.ra_certprofile._read_password()
+            api.Backend.ra_certprofile.override_port = 8443
             with api.Backend.ra_certprofile as profile_api:
                 # import the profile
                 try:
@@ -1715,6 +1719,7 @@ def import_included_profiles():
                 except errors.RemoteRetrieveError:
                     pass
 
+            api.Backend.ra_certprofile.override_port = None
             root_logger.info("Imported profile '%s'", profile_id)
 
     conn.disconnect()
diff --git a/ipaserver/install/server/install.py 
b/ipaserver/install/server/install.py
index 
955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0
 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -906,9 +906,6 @@ def install(options):
         service.print_msg("Restarting the certificate server")
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
 
-        service.print_msg("Importing certificate profiles")
-        cainstance.import_included_profiles()
-
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
         dns.install(False, False, options)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 
e6668bb43b994863a14fdd347635753422ed9388..4b9d82a84e387758113066163c8346db69a734e1
 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1973,6 +1973,7 @@ class RestClient(Backend):
         super(RestClient, self).__init__()
 
         # session cookie
+        self.override_port = None
         self.cookie = None
 
     def _read_password(self):
@@ -2007,7 +2008,8 @@ class RestClient(Backend):
         if self.cookie is not None:
             return
         status, status_text, resp_headers, resp_body = dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login',
+            self,ca_host, self.override_port or self.env.ca_agent_port,
+            '/ca/rest/account/login',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method='GET'
         )
@@ -2020,7 +2022,8 @@ class RestClient(Backend):
     def __exit__(self, exc_type, exc_value, traceback):
         """Log out of the REST API"""
         dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout',
+            self.ca_host, self.override_port or self.env.ca_agent_port,
+            '/ca/rest/account/logout',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method='GET'
         )
@@ -2046,7 +2049,8 @@ class RestClient(Backend):
 
         # perform main request
         status, status_text, resp_headers, resp_body = dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, resource,
+            self.ca_host, self.override_port or self.env.ca_agent_port,
+            resource,
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method=method, headers=headers, body=body
         )
-- 
2.1.0

From 166a55dddf89235799f2a19c5a709dc92a8a9ce7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 5 Jun 2015 05:02:58 -0400
Subject: [PATCH 18/18] ipa-pki-proxy: allow certificate and password
 authentication

ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.
---
 install/conf/ipa-pki-proxy.conf | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
366ca15a1868758547f9f1d3334fddba38793083..354b340f0a57d3424c3c13fd4054ed71080552fe
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -27,9 +27,16 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for REST API
-<LocationMatch 
"^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/profiles">
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient require
+    NSSVerifyClient optional
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+<LocationMatch "^/ca/rest/profiles">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to