Re: [Freeipa-devel] [PATCH] 35 Fix external CA install
Jan Cholasta wrote: On 26.7.2011 19:37, Rob Crittenden wrote: Jan Cholasta wrote: This patch contains several small fixes of external CA install. https://fedorahosted.org/freeipa/ticket/1523 This is a good start at simplifying things but needs a bit more work. One thing I was bending over backwards for was to handle whatever options were thrown at us. Here is a situation this does not handle very gracefully: # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. CA is not installed yet. To install with an external CA is a two-stage process. First run the installer with --external-ca. rob Moved the input validation to the beginning of main(), so that the errors are caught sooner. Honza Working great, ack. pushed to master and ipa-2-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 35 Fix external CA install
On 26.7.2011 19:37, Rob Crittenden wrote: Jan Cholasta wrote: This patch contains several small fixes of external CA install. https://fedorahosted.org/freeipa/ticket/1523 This is a good start at simplifying things but needs a bit more work. One thing I was bending over backwards for was to handle whatever options were thrown at us. Here is a situation this does not handle very gracefully: # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. CA is not installed yet. To install with an external CA is a two-stage process. First run the installer with --external-ca. rob Moved the input validation to the beginning of main(), so that the errors are caught sooner. Honza -- Jan Cholasta >From 0080143430cb5e8a76c8fb02fa9ad0a3a079cda9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 26 Jul 2011 13:21:36 +0200 Subject: [PATCH] Fix external CA install. ticket 1523 --- install/tools/ipa-server-install | 59 ++ 1 files changed, 34 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 8f8100b..f477412 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -212,9 +212,15 @@ def parse_options(): if (options.external_cert_file or options.external_ca_file) and options.selfsign: parser.error("--selfsign cannot be used with the external CA options.") +if options.external_ca: +if options.external_cert_file: +parser.error("You cannot specify --external_cert_file together with --external-ca") +if options.external_ca_file: +parser.error("You cannot specify --external_ca_file together with --external-ca") + if ((options.external_cert_file and not options.external_ca_file) or (not options.external_cert_file and options.external_ca_file)): -parser.error("if either external option is used, both are required.") +parser.error("if either external CA option is used, both are required.") if (options.external_ca_file and not os.path.isabs(options.external_ca_file)): parser.error("--external-ca-file must use an absolute path") @@ -503,7 +509,7 @@ def main(): else: standard_logging_setup("/var/log/ipaserver-install.log", options.debug) print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" -if (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()) and not options.external_cert_file: +if not options.external_ca and not options.external_cert_file and (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()): sys.exit("IPA server is already configured on this system.\n" + "If you want to reinstall the IPA server please uninstall it first.") @@ -544,9 +550,26 @@ def main(): return uninstall() +if options.external_ca: +if cainstance.CADSInstance().is_configured(): +print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file." +sys.exit(1) +elif options.external_cert_file: +if not cainstance.CADSInstance().is_configured(): +# This can happen if someone passes external_ca_file without +# already having done the first stage of the CA install. +print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca." +sys.exit(1) +if not ipautil.file_exists(options.external_cert_file): +print "%s does not exist" % options.external_cert_file +sys.exit(1) +if not ipautil.file_exists(options.external_ca_file): +print "%s does not exist" % options.external_ca_file +sys.exit(1) + # This will override any settings passed in on the cmdline if ipautil.file_exists(ANSWER_CACHE): -dm_password = read_dm_password() +dm_password = read_password("Directory Manager", confirm=False) options._update_loose(read_cache(dm_password)) print "==" @@ -754,24 +777,12 @@ def main(): # Figure out what state we're in. See cainstance.py for more info on # the 3 states. -if options.external_cert_file is not Non
Re: [Freeipa-devel] [PATCH] 35 Fix external CA install
Jan Cholasta wrote: This patch contains several small fixes of external CA install. https://fedorahosted.org/freeipa/ticket/1523 This is a good start at simplifying things but needs a bit more work. One thing I was bending over backwards for was to handle whatever options were thrown at us. Here is a situation this does not handle very gracefully: # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. CA is not installed yet. To install with an external CA is a two-stage process. First run the installer with --external-ca. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 35 Fix external CA install
This patch contains several small fixes of external CA install. https://fedorahosted.org/freeipa/ticket/1523 -- Jan Cholasta >From 4fb87a142e41f85038160576e9b4529bd6d67600 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 26 Jul 2011 13:21:36 +0200 Subject: [PATCH] Fix external CA install. ticket 1523 --- install/tools/ipa-server-install | 28 ++-- 1 files changed, 14 insertions(+), 14 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 8f8100b..be14a02 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -214,7 +214,7 @@ def parse_options(): if ((options.external_cert_file and not options.external_ca_file) or (not options.external_cert_file and options.external_ca_file)): -parser.error("if either external option is used, both are required.") +parser.error("if either external CA option is used, both are required.") if (options.external_ca_file and not os.path.isabs(options.external_ca_file)): parser.error("--external-ca-file must use an absolute path") @@ -546,7 +546,7 @@ def main(): # This will override any settings passed in on the cmdline if ipautil.file_exists(ANSWER_CACHE): -dm_password = read_dm_password() +dm_password = read_password("Directory Manager", confirm=False) options._update_loose(read_cache(dm_password)) print "==" @@ -755,23 +755,21 @@ def main(): # Figure out what state we're in. See cainstance.py for more info on # the 3 states. if options.external_cert_file is not None and options.external_ca_file is not None: -# These options imply this and this is required to install the CA. -# This is needed otherwise the setup of dogtag will fail. -options.external_ca = True -external = 0 -if options.external_ca: -external = 1 -if external and ipautil.file_exists("/root/ipa.csr"): external = 2 -if options.external_cert_file is None or options.external_ca_file is None: +elif options.external_ca: +if ipautil.file_exists("/root/ipa.csr"): print "You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file" -sys.exit(1); +sys.exit(1) +external = 1 +else: +external = 0 + if external and options.external_cert_file and not ipautil.file_exists(options.external_cert_file): print "%s does not exist" % options.external_cert_file -sys.exit(1); +sys.exit(1) if external and options.external_ca_file and not ipautil.file_exists(options.external_ca_file): print "%s does not exist" % options.external_ca_file -sys.exit(1); +sys.exit(1) cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) if not cs.is_configured(): @@ -787,8 +785,10 @@ def main(): options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password -options.host_name = host_default +options.host_name = host_name options.unattended = True +options.forwarders = dns_forwarders +options.reverse_zone = reverse_zone write_cache(options) ca.configure_instance(host_name, dm_password, dm_password, csr_file="/root/ipa.csr", -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel