This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.
https://fedorahosted.org/freeipa/ticket/3151
The same options are in ipa-replica-prepare. I think we should leave
those be, so people with existing servers with custom certs can install
replicas.
--
PetrĀ³
From 664fdd8278144caecb756acda0e6a92db40d4898 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 22 Feb 2013 09:55:05 -0500
Subject: [PATCH] Remove option to use custom SSL certificates from
ipa-server-install
Remove the --{dirsrv,http,pkinit}-{pkcs12,pin} options and code that
handles them.
https://fedorahosted.org/freeipa/ticket/3151
---
install/tools/ipa-server-install | 111 +++--
1 files changed, 21 insertions(+), 90 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..3ce139e6cfb66d9d17329a36c90756d448914d0c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -70,7 +70,6 @@ from ipapython.dn import DN
import ipaclient.ntpconf
-pw_name = None
uninstalling = False
installation_cleanup = True
@@ -168,18 +167,6 @@ def parse_options():
help=File containing PKCS#10 of the external CA chain)
cert_group.add_option(--no-pkinit, dest=setup_pkinit, action=store_false,
default=True, help=disables pkinit setup steps)
-cert_group.add_option(--dirsrv_pkcs12, dest=dirsrv_pkcs12,
- help=PKCS#12 file containing the Directory Server SSL certificate)
-cert_group.add_option(--http_pkcs12, dest=http_pkcs12,
- help=PKCS#12 file containing the Apache Server SSL certificate)
-cert_group.add_option(--pkinit_pkcs12, dest=pkinit_pkcs12,
- help=PKCS#12 file containing the Kerberos KDC SSL certificate)
-cert_group.add_option(--dirsrv_pin, dest=dirsrv_pin, sensitive=True,
- help=The password of the Directory Server PKCS#12 file)
-cert_group.add_option(--http_pin, dest=http_pin, sensitive=True,
- help=The password of the Apache Server PKCS#12 file)
-cert_group.add_option(--pkinit_pin, dest=pkinit_pin,
- help=The password of the Kerberos KDC PKCS#12 file)
cert_group.add_option(--subject, action=callback, callback=subject_callback,
type=string,
help=The certificate subject base (default O=realm-name))
@@ -270,14 +257,6 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error(You must specify at least one --forwarder option or --no-forwarders option)
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt 0 and cnt 4:
-parser.error(All PKCS#12 options are required if any are used.)
-
if (options.external_cert_file or options.external_ca_file) and options.selfsign:
parser.error(--selfsign cannot be used with the external CA options.)
@@ -304,7 +283,7 @@ def parse_options():
(options.idmax, options.idstart))
#Automatically disable pkinit w/ dogtag until that is supported
-if not options.pkinit_pkcs12 and not options.selfsign:
+if not options.selfsign:
options.setup_pkinit = False
if options.zone_refresh 0:
@@ -561,7 +540,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
def main():
global ds
-global pw_name
global uninstalling
global installation_cleanup
ds = None
@@ -931,26 +909,11 @@ def main():
# Create a directory server instance
ds = dsinstance.DsInstance(fstore=fstore)
-if options.dirsrv_pin:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, options.dirsrv_pin)
-os.close(pw_fd)
-
-if options.dirsrv_pkcs12:
-pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-try:
-ds.create_instance(realm_name, host_name, domain_name,
- dm_password, pkcs12_info,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
-finally:
-os.remove(pw_name)
-else:
-ds.create_instance(realm_name, host_name, domain_name,
- dm_password, self_signed_ca=options.selfsign,
- idstart=options.idstart, idmax=options.idmax,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
+ds.create_instance(realm_name, host_name, domain_name,
+