This patch fixes https://fedorahosted.org/freeipa/ticket/5506 and also
reorganizes the way CA installer updates IPA default.conf.
Maybe a simpler patch would suffice, but I had a need to improve things
a bit.
This one is for master branch only. IIRC the situation described in
#5506 does not occur in domain level 0, however the root cause
(incorrect forwarding of certmonger requests by CA-less replicas)
manifests when enrolling a client against CA-less replica and requesting
host certificate.
Should I open a separate ticket for that?
--
Martin^3 Babinsky
From c67a6c03a4f2ed82aea7e0da03c9e2270eea2d42 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
IPA config entries
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
---
ipaserver/install/ca.py| 16
ipaserver/install/cainstance.py| 19 ++-
ipaserver/install/server/replicainstall.py | 7 +++
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index fcead1891583c2e495951fbeb733e6eec3b07ccf..1a51ebc8cf994eae70323ee0642bebd746080de2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -7,8 +7,6 @@ from __future__ import print_function
import sys
import os.path
-from six.moves.configparser import RawConfigParser
-
from ipaserver.install import cainstance, dsinstance, bindinstance
from ipapython import ipautil, certdb
from ipaplatform import services
@@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
if standalone:
ca.start('pki-tomcat')
-# Update config file
-try:
-parser = RawConfigParser()
-parser.read(paths.IPA_DEFAULT_CONF)
-parser.set('global', 'enable_ra', 'True')
-parser.set('global', 'ra_plugin', 'dogtag')
-parser.set('global', 'dogtag_version', '10')
-with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-parser.write(f)
-except IOError as e:
-print("Failed to update /etc/ipa/default.conf")
-root_logger.error(str(e))
-sys.exit(1)
-
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 65f9e463d39ca1ecf4c42ca22620cf1f2de06880..2ca718a7b6799b7daf825918517a54852746a84f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,7 +41,7 @@ import shlex
import pipes
from six.moves import urllib
-from six.moves.configparser import ConfigParser
+from six.moves.configparser import ConfigParser, RawConfigParser
from ipalib import api
from ipalib import pkcs10, x509
@@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
+self.step("updating IPA configuration", update_ipa_conf)
self.start_creation(runtime=210)
@@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
+self.step("updating IPA configuration", update_ipa_conf)
self.step("Restart HTTP server to pick up changes",
self.__restart_http_instance)
@@ -1768,6 +1770,21 @@ def ensure_default_caacl():
api.Backend.ldap2.disconnect()
+def update_ipa_conf():
+"""
+Update IPA configuration file to ensure that RA plugins are enabled and
+that CA host points to localhost
+"""
+parser = RawConfigParser()
+parser.read(paths.IPA_DEFAULT_CONF)
+parser.set('global', 'enable_ra', 'True')
+parser.set('global', 'ra_plugin', 'dogtag')
+parser.set('global', 'dogtag_version', '10')
+parser.remove_option('global', 'ca_host')
+with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+parser.write(f)
+
+
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ec77ab21b1e4969bdcd8d9e588eed7b97e3a9079..d2b03431ee68c41b750fac33c3cf954d4bb5892e 100644
--- a/ipaserver/install/server/replicainstall.py
+++