On 19/01/16 16:10, David Kupka wrote:
On 19/01/16 14:38, Jan Cholasta wrote:
On 19.1.2016 14:26, Martin Kosek wrote:
On 01/19/2016 01:47 PM, David Kupka wrote:
I've polished the patch attached to #5586 by Timo Aaltonen.
Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.
https://fedorahosted.org/freeipa/ticket/5586
Won't this break existing certmonger requests depending on the old path?
It will, I don't see any upgrade code.
# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.
Thanks for the catch.
I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.
--
David Kupka
From 64927531ec69b77f705691590070fcb8dc634aed Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 1/2] dsinstance: add start_tracking_certificates method
Configure certmonger to start tracing certificate for DS.
https://fedorahosted.org/freeipa/ticket/5586
---
ipaserver/install/dsinstance.py | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..1def76b575dd10dcf2f737c37cce8e499440d319 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,16 @@ class DsInstance(service.Service):
dsdb = certs.CertDB(self.realm, nssdir=dirname)
dsdb.untrack_server_cert(self.nickname)
+ def start_tracking_certificates(self, serverid=None):
+ if serverid is None:
+ serverid = self.get_state("serverid")
+ if serverid is not None:
+ dirname = config_dirname(serverid)[:-1]
+ dsdb = certs.CertDB(self.realm, nssdir=dirname)
+ dsdb.track_server_cert(self.nickname, self.principal,
+ dsdb.passwd_fname,
+ 'restart_dirsrv %s' % serverid)
+
# we could probably move this function into the service.Service
# class - it's very generic - all we need is a way to get an
# instance of a particular Service
--
2.5.0
From a324e680e9d7603f9175f92c44e4002c2917d83a Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 2/2] httpinstance: add start_tracking_certificates method
Configure certmonger to start tracking certificate for httpd.
https://fedorahosted.org/freeipa/ticket/5586
---
ipaserver/install/httpinstance.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
def stop_tracking_certificates(self):
db = certs.CertDB(api.env.realm)
db.untrack_server_cert(self.cert_nickname)
+
+ def start_tracking_certificates(self):
+ db = certs.CertDB(self.realm)
+ db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
--
2.5.0
From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@ubuntu.com>
Date: Tue, 19 Jan 2016 12:37:56 +0100
Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).
https://fedorahosted.org/freeipa/ticket/5586
---
freeipa.spec.in | 4 ++--
install/restart_scripts/Makefile.am | 2 +-
ipaplatform/base/paths.py | 2 +-
ipapython/certmonger.py | 13 ++-----------
ipaserver/install/certs.py | 6 +-----
ipaserver/install/server/upgrade.py | 36 +++++++++++++++++++++++++++++++-----
6 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 961d8c38e0dd5f954bfca47e8209a5655eaacc86..c30a9fd0c4189c5b57bc4b7eaa29da99cb96a976 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1035,8 +1035,8 @@ fi
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%dir %{_libdir}/ipa/certmonger
-%attr(755,root,root) %{_libdir}/ipa/certmonger/*
+%dir %{_libexecdir}/ipa/certmonger
+%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
# NOTE: systemd specific section
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index c4bf8195ea85ee0a9dba53fc2581e90c18a9127d..dd949a940218641f99b4ec29e5cd3abdaad0e75a 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -1,6 +1,6 @@
NULL =
-appdir = $(libdir)/ipa/certmonger
+appdir = $(libexecdir)/ipa/certmonger
app_DATA = \
restart_dirsrv \
restart_httpd \
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ee383711a711e7467d7b09dae4278d9dc1c41f63..bdff4f3934f3250bdfef3f913631b98d55d759b6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -149,7 +149,7 @@ class BasePathNamespace(object):
TMP_CA_P12 = "/tmp/ca.p12"
TMP_KRB5CC = "/tmp/krb5cc_%d"
USR_DIR = "/usr"
- CERTMONGER_COMMAND_TEMPLATE = "/usr/%s/ipa/certmonger/%s"
+ CERTMONGER_COMMAND_TEMPLATE = "/usr/libexec/ipa/certmonger/%s"
PKCS12EXPORT = "/usr/bin/PKCS12Export"
CERTUTIL = "/usr/bin/certutil"
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..d62bdc320323608adfe0075f53484650d5595e94 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -25,7 +25,6 @@
from __future__ import print_function
import os
-import sys
import time
import dbus
import shlex
@@ -491,19 +490,11 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
params['KEY_PIN_FILE'] = os.path.abspath(pinfile)
if pre_command:
if not os.path.isabs(pre_command):
- if sys.maxsize > 2**32:
- libpath = 'lib64'
- else:
- libpath = 'lib'
- pre_command = certmonger_cmd_template % (libpath, pre_command)
+ pre_command = certmonger_cmd_template % (pre_command)
params['cert-presave-command'] = pre_command
if post_command:
if not os.path.isabs(post_command):
- if sys.maxsize > 2**32:
- libpath = 'lib64'
- else:
- libpath = 'lib'
- post_command = certmonger_cmd_template % (libpath, post_command)
+ post_command = certmonger_cmd_template % (post_command)
params['cert-postsave-command'] = post_command
if profile:
params['ca-profile'] = profile
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f74b76090bfe2670a998373e3c7cdc3c5727c465..c220ffdb3fea957bafc8d180da9c8c73d0cc2813 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -296,11 +296,7 @@ class CertDB(object):
/usr/lib[64]/ipa/certmonger.
"""
if command is not None and not os.path.isabs(command):
- if sys.maxsize > 2**32:
- libpath = 'lib64'
- else:
- libpath = 'lib'
- command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, command)
+ command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
try:
request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
except RuntimeError as e:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 20379f19c652cb0b5911a4c2f1c67eae7f763379..d6ab0e90a9b3246bd9f121ff73e7a13d42108fa5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -807,13 +807,17 @@ def named_root_key_include():
sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
return True
-def certificate_renewal_update(ca):
+
+def certificate_renewal_update(ca, ds, http):
"""
Update certmonger certificate renewal configuration.
"""
+ serverid = installutils.realm_to_serverid(api.env.realm)
+ dirsrv_dir = dsinstance.config_dirname(serverid)
+
# bump version when requests is changed
- version = 4
+ version = 5
requests = (
(
paths.PKI_TOMCAT_ALIAS_DIR,
@@ -863,6 +867,22 @@ def certificate_renewal_update(ca):
'renew_ca_cert',
None,
),
+ (
+ paths.HTTPD_ALIAS_DIR,
+ 'Server-Cert',
+ 'IPA',
+ None,
+ 'restart_httpd',
+ None,
+ ),
+ (
+ dirsrv_dir,
+ 'Server-Cert',
+ 'IPA',
+ None,
+ 'restart_dirsrv %s' % serverid,
+ None,
+ ),
)
root_logger.info("[Update certmonger certificate renewal configuration to "
@@ -910,6 +930,8 @@ def certificate_renewal_update(ca):
# Ok, now we need to stop tracking, then we can start tracking them
# again with new configuration:
ca.stop_tracking_certificates()
+ ds.stop_tracking_certificates(serverid)
+ http.stop_tracking_certificates()
if not sysupgrade.get_upgrade_state('dogtag',
'certificate_renewal_update_1'):
@@ -923,6 +945,8 @@ def certificate_renewal_update(ca):
ca.configure_renewal()
ca.configure_agent_renewal()
ca.track_servercert()
+ ds.start_tracking_certificates(serverid)
+ http.start_tracking_certificates()
sysupgrade.set_upgrade_state('dogtag', state, True)
root_logger.info("Certmonger certificate renewal configuration updated to "
@@ -1493,6 +1517,9 @@ def upgrade_configuration():
fstore.restore_file(removed_sysconfig_file)
http = httpinstance.HTTPInstance(fstore)
+ http.fqdn = fqdn
+ http.realm = api.env.realm
+ http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm)
http.configure_selinux_for_httpd()
http.change_mod_nss_port_from_http()
@@ -1519,6 +1546,7 @@ def upgrade_configuration():
ds.fqdn = fqdn
ds.realm = api.env.realm
ds.suffix = ipautil.realm_to_suffix(api.env.realm)
+ ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm)
ds.ldap_connect()
ds_enable_sidgen_extdom_plugins(ds)
@@ -1531,8 +1559,6 @@ def upgrade_configuration():
# 389-ds needs to be running
ds.start()
http.ldapi = True
- http.fqdn = fqdn
- http.realm = api.env.realm
http.suffix = ipautil.realm_to_suffix(api.env.realm)
http.ldap_connect()
httpinstance.create_kdcproxy_user()
@@ -1613,7 +1639,7 @@ def upgrade_configuration():
ca_restart,
ca_upgrade_schema(ca),
upgrade_ca_audit_cert_validity(ca),
- certificate_renewal_update(ca),
+ certificate_renewal_update(ca, ds, http),
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),
])
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
