Martin Kosek wrote:
On 09/20/2012 11:58 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
The CA audit certificate is initially valid for two years but its
profile has it renewing at six months. This bumps the value up to two
years to match the other certificates.
This relies on Petr's and Ade's dogtag 10 patches.
Updated patch. The value of policyset.caLogSigningSet.2.constraint.params.range
needs to be bumped to 720 as well.
rob
1) I do not see the updated patch with the described change
2) Patch needs a rebase
3) In upgrade_ipa_profile function, please rather adopt the concept of
restarting the CA just once (ca_restart variable), at the end of the
ipa-upgraceconfig. With your change, CA would be restarted at least twice -
once for audit cert renewal update and then for CRL location change.
Otherwise it works OK - profile is updated.
Martin
done
rob
From f186b8871a910a9d89fc27a1e6c1b396a7c2d29f Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 9 Oct 2012 11:25:27 -0400
Subject: [PATCH] Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.
https://fedorahosted.org/freeipa/ticket/2951
---
install/tools/ipa-upgradeconfig | 21 ++---
ipaserver/install/cainstance.py | 33 +
2 files changed, 47 insertions(+), 7 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cb2164c0c3ed6d751dacc94633df2c1c257aa038..4ed718a9b9faea0821db5642544e9bb1194dbce4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -211,14 +211,15 @@ def upgrade_pki(fstore):
This requires enabling SSL renegotiation.
+configured_constants = dogtag.configured_constants()
root_logger.info('[Verifying that CA proxy configuration is correct]')
-if not os.path.exists('/etc/pki-ca/CS.cfg'):
+if not os.path.exists(configured_constants.CS_CFG_PATH):
root_logger.debug('No CA detected in /etc/pki-ca')
return
http = httpinstance.HTTPInstance(fstore)
http.enable_mod_nss_renegotiate()
-if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists('/usr/bin/pki-setup-proxy'):
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@@ -285,17 +286,24 @@ def cleanup_kdc(fstore):
def upgrade_ipa_profile(ca):
Update the IPA Profile provided by dogtag
+
+Returns True if restart is needed, False otherwise.
root_logger.info('[Verifying that CA service certificate profile is updated]')
if ca.is_configured():
-if ca.enable_subject_key_identifier():
-root_logger.debug('Subject Key Identifier updated, restarting CA')
-ca.restart()
+ski = ca.enable_subject_key_identifier()
+if ski:
+root_logger.debug('Subject Key Identifier updated.')
else:
root_logger.debug('Subject Key Identifier already set.')
+audit = ca.set_audit_renewal()
+if audit or ski:
+return True
else:
root_logger.debug('CA is not configured')
+return False
+
def upgrade_httpd_selinux(fstore):
Update SElinux configuration for httpd instance in the same way as the
@@ -609,14 +617,13 @@ def main():
pass
cleanup_kdc(fstore)
-upgrade_ipa_profile(ca)
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bindinstance.BindInstance(fstore).restart()
-ca_restart = ca_restart or enable_certificate_renewal(ca)
+ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
if ca_restart:
root_logger.info('pki-ca configuration changed, restart pki-ca')
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 30a8274a6bff874e6ff50f1f090c41074cca662d..d6769d8e69f125526101f2d0402d1254ba5957bc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -562,6 +562,7 @@ class CAInstance(service.Service):
self.step(set up CRL publishing, self.__enable_crl_publish)
self.step(set certificate subject base, self.__set_subject_in_config)
self.step(enabling Subject Key Identifier, self.enable_subject_key_identifier)
+self.step(setting audit signing renewal to 2 years, self.set_audit_renewal)
self.step(configuring certificate server to start on boot,