Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 5.6.2015 v 14:16 David Kupka napsal(a): On 06/03/2015 05:49 PM, David Kupka wrote: Updated patch attached. ACK. The patch needed a rebase and there was a bug in ipa-replica-install, I took care of both, see attachment. Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 There was also an unrelated problem in replicainstall.py which I also fixed, see the other attachment. Pushed to master under the one-liner rule: e01095dfb33aaef0ab1babf86a71d70410b666ed -- Jan Cholasta From f958c692dd2a81a652bce555474b4b6380e920f4 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Mon, 8 Jun 2015 05:23:56 + Subject: [PATCH] Move CA installation code into single module. https://fedorahosted.org/freeipa/ticket/4468 --- install/tools/ipa-ca-install | 251 +++ install/tools/ipa-replica-install | 3 + ipaserver/install/ca.py| 267 + ipaserver/install/server/install.py| 101 ++- ipaserver/install/server/replicainstall.py | 53 ++ 5 files changed, 330 insertions(+), 345 deletions(-) create mode 100644 ipaserver/install/ca.py diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index f087d2d..36b89b6 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -21,26 +21,18 @@ import sys import os import shutil -from ConfigParser import RawConfigParser from ipapython import ipautil from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, -expand_replica_info, read_replica_info, get_host_name, BadHostError, -private_ccache, read_replica_info_dogtag_port, load_external_cert, -create_replica_config) -from ipaserver.install import dsinstance, cainstance, bindinstance -from ipaserver.install.replication import replica_conn_check +from ipaserver.install.installutils import (private_ccache, +create_replica_config) +from ipaserver.install import dsinstance, ca from ipapython import version -from ipalib import api, certstore, x509 +from ipalib import api from ipapython.dn import DN from ipapython.config import IPAOptionParser -from ipapython import sysrestore -from ipapython import dogtag -from ipapython import certdb from ipapython.ipa_log_manager import * -from ipaplatform import services from ipaplatform.paths import paths log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG @@ -86,6 +78,9 @@ def parse_options(): if len(args) != 1: parser.error(you must provide a file generated by ipa-replica-prepare) + +options.external_ca = None +options.external_cert_files = None else: filename = None @@ -106,31 +101,6 @@ def get_dirman_password(): Directory Manager (existing master), confirm=False, validate=False) -def check_ca(): -if not cainstance.check_port(): -print IPA requires port 8443 for PKI but it is currently in use. -sys.exit(1) - -def install_dns_records(config, options): - -if not bindinstance.dns_container_exists(config.master_host_name, - ipautil.realm_to_suffix(config.realm_name), - dm_password=config.dirman_password): -return - -bind = bindinstance.BindInstance(dm_password=config.dirman_password) -disconnect = False -try: -if not api.Backend.ldap2.isconnected(): -api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=config.dirman_password) -disconnect = True -bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) -finally: -if api.Backend.ldap2.isconnected() and disconnect: -api.Backend.ldap2.disconnect() - - def install_replica(safe_options, options, filename): standard_logging_setup(log_file_name, debug=options.debug) @@ -141,18 +111,12 @@ def install_replica(safe_options, options, filename): if not ipautil.file_exists(filename): sys.exit(Replica file %s does not exist % filename) -global sstore -sstore = sysrestore.StateFile(paths.SYSRESTORE) - if not dsinstance.DsInstance().is_configured(): sys.exit(IPA server is not configured on this system.\n) api.bootstrap(in_server=True) api.finalize() -if api.env.ra_plugin == 'selfsign': -sys.exit('A selfsign CA can not be added') - # get the directory manager password dirman_password = options.password if not dirman_password: @@ -174,48 +138,17 @@ def install_replica(safe_options, options, filename): REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True -if not ipautil.file_exists(config.dir + /cacert.p12): -print 'CA cannot be installed in CA-less setup.' -
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): Dne 5.6.2015 v 14:16 David Kupka napsal(a): On 06/03/2015 05:49 PM, David Kupka wrote: Updated patch attached. ACK. The patch needed a rebase and there was a bug in ipa-replica-install, I took care of both, see attachment. Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 There was also an unrelated problem in replicainstall.py which I also fixed, see the other attachment. Pushed to master under the one-liner rule: e01095dfb33aaef0ab1babf86a71d70410b666ed There are some more bugs in CA-less and external CA install, see the attached patches for fixes. Fixed an additional issue in patch 437, see attachment. -- Jan Cholasta From bdcda90e2c0a202c94dff37a25bad3f6c97a16ee Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 8 Jun 2015 08:32:27 + Subject: [PATCH 1/2] install: Fix CA-less server install https://fedorahosted.org/freeipa/ticket/4468 --- ipaserver/install/server/install.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 5be10f5..6f47723 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -313,6 +313,9 @@ def common_cleanup(func): @common_cleanup def install_check(options): +global dirsrv_pkcs12_file +global http_pkcs12_file +global pkinit_pkcs12_file global dirsrv_pkcs12_info global http_pkcs12_info global pkinit_pkcs12_info @@ -637,6 +640,9 @@ def install_check(options): @common_cleanup def install(options): +global dirsrv_pkcs12_file +global http_pkcs12_file +global pkinit_pkcs12_file global dirsrv_pkcs12_info global http_pkcs12_info global pkinit_pkcs12_info -- 2.1.0 From 9afc3ed81670025c83aae874d2d9cc2c98f54d96 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 8 Jun 2015 08:32:58 + Subject: [PATCH 2/2] install: Fix external CA server install https://fedorahosted.org/freeipa/ticket/4468 --- ipaserver/install/ca.py | 32 +++- ipaserver/install/server/install.py | 7 --- 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 8a8214c..1ef8b2c 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -25,9 +25,6 @@ def install_check(standalone, replica_config, options): host_name = options.host_name subject_base = options.subject -if replica_config is None and options.external_cert_files: -return - if replica_config is not None: if standalone and api.env.ra_plugin == 'selfsign': sys.exit('A selfsign CA can not be added') @@ -51,17 +48,7 @@ def install_check(standalone, replica_config, options): if standalone and api.Command.ca_is_enabled()['result']: sys.exit(CA is already installed.\n) -if options.external_ca: -if cainstance.is_step_one_done(): -print(CA is already installed.\nRun the installer with - --external-cert-file.) -sys.exit(1) -if ipautil.file_exists(paths.ROOT_IPA_CSR): -print(CA CSR file %s already exists.\nIn order to continue - remove the file and run the installer again. % - paths.ROOT_IPA_CSR) -sys.exit(1) -elif options.external_cert_files: +if options.external_cert_files: if not cainstance.is_step_one_done(): # This can happen if someone passes external_ca_file without # already having done the first stage of the CA install. @@ -72,10 +59,21 @@ def install_check(standalone, replica_config, options): external_cert_file, external_ca_file = installutils.load_external_cert( options.external_cert_files, options.subject) +elif options.external_ca: +if cainstance.is_step_one_done(): +print(CA is already installed.\nRun the installer with + --external-cert-file.) +sys.exit(1) +if ipautil.file_exists(paths.ROOT_IPA_CSR): +print(CA CSR file %s already exists.\nIn order to continue + remove the file and run the installer again. % + paths.ROOT_IPA_CSR) +sys.exit(1) -if not cainstance.check_port(): -print (IPA requires port 8443 for PKI but it is currently in use.) -sys.exit(Aborting installation) +if not options.external_cert_files: +if not cainstance.check_port(): +print(IPA requires port 8443 for PKI but it is currently in use.) +sys.exit(Aborting installation) if standalone: dirname = dsinstance.config_dirname( diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 6f47723..faa9612 100644 ---
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 8.6.2015 v 17:04 David Kupka napsal(a): On 06/08/2015 04:23 PM, Jan Cholasta wrote: Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): Dne 5.6.2015 v 14:16 David Kupka napsal(a): On 06/03/2015 05:49 PM, David Kupka wrote: Updated patch attached. ACK. The patch needed a rebase and there was a bug in ipa-replica-install, I took care of both, see attachment. Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 There was also an unrelated problem in replicainstall.py which I also fixed, see the other attachment. Pushed to master under the one-liner rule: e01095dfb33aaef0ab1babf86a71d70410b666ed There are some more bugs in CA-less and external CA install, see the attached patches for fixes. Fixed an additional issue in patch 437, see attachment. Works for me, ACK. Thanks. Pushed to master: 4c70590c2a78b6d2cbfed585502442f733f26389 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
On 06/03/2015 05:49 PM, David Kupka wrote: Updated patch attached. -- David Kupka From ca004a585f86a5e35d02a90dc9db0753f786b84a Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 3 Jun 2015 17:43:27 +0200 Subject: [PATCH] Move CA installation code into single module. --- install/tools/ipa-ca-install | 251 +++ install/tools/ipa-replica-install | 3 + ipaserver/install/ca.py| 267 + ipaserver/install/server/install.py| 101 ++- ipaserver/install/server/replicainstall.py | 46 ++--- 5 files changed, 325 insertions(+), 343 deletions(-) create mode 100644 ipaserver/install/ca.py diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index f087d2d6a5138915008395cde4c461fc7602811b..36b89b6437c21ff7538708858966915ce214ffec 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -21,26 +21,18 @@ import sys import os import shutil -from ConfigParser import RawConfigParser from ipapython import ipautil from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, -expand_replica_info, read_replica_info, get_host_name, BadHostError, -private_ccache, read_replica_info_dogtag_port, load_external_cert, -create_replica_config) -from ipaserver.install import dsinstance, cainstance, bindinstance -from ipaserver.install.replication import replica_conn_check +from ipaserver.install.installutils import (private_ccache, +create_replica_config) +from ipaserver.install import dsinstance, ca from ipapython import version -from ipalib import api, certstore, x509 +from ipalib import api from ipapython.dn import DN from ipapython.config import IPAOptionParser -from ipapython import sysrestore -from ipapython import dogtag -from ipapython import certdb from ipapython.ipa_log_manager import * -from ipaplatform import services from ipaplatform.paths import paths log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG @@ -86,6 +78,9 @@ def parse_options(): if len(args) != 1: parser.error(you must provide a file generated by ipa-replica-prepare) + +options.external_ca = None +options.external_cert_files = None else: filename = None @@ -106,31 +101,6 @@ def get_dirman_password(): Directory Manager (existing master), confirm=False, validate=False) -def check_ca(): -if not cainstance.check_port(): -print IPA requires port 8443 for PKI but it is currently in use. -sys.exit(1) - -def install_dns_records(config, options): - -if not bindinstance.dns_container_exists(config.master_host_name, - ipautil.realm_to_suffix(config.realm_name), - dm_password=config.dirman_password): -return - -bind = bindinstance.BindInstance(dm_password=config.dirman_password) -disconnect = False -try: -if not api.Backend.ldap2.isconnected(): -api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=config.dirman_password) -disconnect = True -bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) -finally: -if api.Backend.ldap2.isconnected() and disconnect: -api.Backend.ldap2.disconnect() - - def install_replica(safe_options, options, filename): standard_logging_setup(log_file_name, debug=options.debug) @@ -141,18 +111,12 @@ def install_replica(safe_options, options, filename): if not ipautil.file_exists(filename): sys.exit(Replica file %s does not exist % filename) -global sstore -sstore = sysrestore.StateFile(paths.SYSRESTORE) - if not dsinstance.DsInstance().is_configured(): sys.exit(IPA server is not configured on this system.\n) api.bootstrap(in_server=True) api.finalize() -if api.env.ra_plugin == 'selfsign': -sys.exit('A selfsign CA can not be added') - # get the directory manager password dirman_password = options.password if not dirman_password: @@ -174,48 +138,17 @@ def install_replica(safe_options, options, filename): REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True -if not ipautil.file_exists(config.dir + /cacert.p12): -print 'CA cannot be installed in CA-less setup.' -sys.exit(1) +api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=dirman_password) -if not options.skip_conncheck: -replica_conn_check( -config.master_host_name, config.host_name, config.realm_name, True, -config.ca_ds_port, options.admin_password) +options.realm_name = config.realm_name +