Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
On 10/09/2014 03:56 PM, David Kupka wrote: On 10/08/2014 01:23 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. Thanks, pushed to master. Just to double check - no parts of the fixes should be applied to 4.1 or 4.0 branches, is that correct? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
On 10/10/2014 08:50 AM, Martin Kosek wrote: On 10/09/2014 03:56 PM, David Kupka wrote: On 10/08/2014 01:23 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. Thanks, pushed to master. Just to double check - no parts of the fixes should be applied to 4.1 or 4.0 branches, is that correct? Martin I've never seen or been able to reproduce this bug other than on master branch. AFAIK, the issue was caused by KRA patches that are only in master. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Dne 10.10.2014 v 08:55 David Kupka napsal(a): On 10/10/2014 08:50 AM, Martin Kosek wrote: On 10/09/2014 03:56 PM, David Kupka wrote: On 10/08/2014 01:23 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. Thanks, pushed to master. Just to double check - no parts of the fixes should be applied to 4.1 or 4.0 branches, is that correct? Martin I've never seen or been able to reproduce this bug other than on master branch. AFAIK, the issue was caused by KRA patches that are only in master. The patch is master only and applies on top of the KRA changes. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
On 10/08/2014 01:23 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza -- Jan Cholasta From d1f307cef0b72c8052dd9277d20814236cb19f79 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 16:46:15 +0200 Subject: [PATCH] Fix certmonger configuration in installer code https://fedorahosted.org/freeipa/ticket/4619 --- install/tools/ipa-server-install | 5 +-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/cainstance.py | 87 +--- ipaserver/install/dogtaginstance.py | 76 ++- ipaserver/install/ipa_kra_install.py | 2 +- ipaserver/install/krainstance.py | 9 ++-- 6 files changed, 78 insertions(+), 103 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 89d7330..f394f1e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -561,14 +561,13 @@ def uninstall(): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) -kra_instance.stop_tracking_certificates(dogtag_constants) +kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) -ca_instance.stop_tracking_certificates(dogtag_constants) -ca_instance.stop_tracking_agent_certificate(dogtag_constants) +ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb5..339dcb9 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: -ca.stop_tracking_certificates(dogtag_constants) +ca.stop_tracking_certificates() if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3a296f5..cbb9e2c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -330,6 +330,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation +tracking_reqs = (('auditSigningCert cert-pki-ca', None), + ('ocspSigningCert cert-pki-ca', None), + ('subsystemCert cert-pki-ca', None), + ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) +server_cert_name = 'Server-Cert cert-pki-ca' + def __init__(self, realm=None, ra_db=None, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): if dogtag_constants is None: @@ -363,11 +369,6 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = None self.ra_cert = None self.requestId = None -self.tracking_reqs = (('Server-Cert cert-pki-ca', None), - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -452,7 +453,7 @@ class CAInstance(DogtagInstance): self.step(issuing RA agent certificate, self.__issue_ra_cert) self.step(adding RA agent as a trusted user, self.__configure_ra) self.step(configure certmonger for renewals, self.configure_certmonger_renewal) -self.step(configure certificate renewals, self.configure_cert_renewal) +self.step(configure certificate renewals, self.configure_renewal) if not self.clone: self.step(configure RA certificate renewal, self.configure_agent_renewal) self.step(configure Server-Cert certificate renewal, self.track_servercert) @@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) -@staticmethod -def configure_certmonger_renewal(): - -Create a new CA type for certmonger that will retrieve updated -certificates from the dogtag master server. - -services.knownservices.messagebus.start() -cmonger = services.knownservices.certmonger -cmonger.enable() -cmonger.start() - -bus = dbus.SystemBus() -obj = bus.get_object('org.fedorahosted.certmonger', - '/org/fedorahosted/certmonger') -iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') -
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. -- Jan Cholasta From f2edb5ddf291d1f14c13e155412f5154d491c84e Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 16:46:15 +0200 Subject: [PATCH] Fix certmonger configuration in installer code https://fedorahosted.org/freeipa/ticket/4619 --- install/tools/ipa-server-install | 5 +-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/cainstance.py | 87 +--- ipaserver/install/dogtaginstance.py | 77 ++- ipaserver/install/ipa_kra_install.py | 2 +- ipaserver/install/krainstance.py | 9 ++-- 6 files changed, 78 insertions(+), 104 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 89d7330..f394f1e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -561,14 +561,13 @@ def uninstall(): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) -kra_instance.stop_tracking_certificates(dogtag_constants) +kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) -ca_instance.stop_tracking_certificates(dogtag_constants) -ca_instance.stop_tracking_agent_certificate(dogtag_constants) +ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb5..339dcb9 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: -ca.stop_tracking_certificates(dogtag_constants) +ca.stop_tracking_certificates() if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3a296f5..cbb9e2c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -330,6 +330,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation +tracking_reqs = (('auditSigningCert cert-pki-ca', None), + ('ocspSigningCert cert-pki-ca', None), + ('subsystemCert cert-pki-ca', None), + ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) +server_cert_name = 'Server-Cert cert-pki-ca' + def __init__(self, realm=None, ra_db=None, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): if dogtag_constants is None: @@ -363,11 +369,6 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = None self.ra_cert = None self.requestId = None -self.tracking_reqs = (('Server-Cert cert-pki-ca', None), - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -452,7 +453,7 @@ class CAInstance(DogtagInstance): self.step(issuing RA agent certificate, self.__issue_ra_cert) self.step(adding RA agent as a trusted user, self.__configure_ra) self.step(configure certmonger for renewals, self.configure_certmonger_renewal) -self.step(configure certificate renewals, self.configure_cert_renewal) +self.step(configure certificate renewals, self.configure_renewal) if not self.clone: self.step(configure RA certificate renewal, self.configure_agent_renewal) self.step(configure Server-Cert certificate renewal, self.track_servercert) @@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) -@staticmethod -def configure_certmonger_renewal(): - -Create a new CA type for certmonger that will retrieve updated -certificates from the dogtag master server. - -services.knownservices.messagebus.start() -cmonger = services.knownservices.certmonger -cmonger.enable() -cmonger.start() - -bus = dbus.SystemBus() -obj =