Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: On 05/06/15 11:47, Fraser Tweedale wrote: Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser NACK, sorry ./make-lint * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), RestClient.__enter__] Argument 'method' passed by position and keyword in function call) ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), RestClient.__enter__] Undefined variable 'ca_host') -- Martin Basti Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser From 61677911dec136e6d022622549c476f8ca5f6e5b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri, 5 Jun 2015 02:57:48 -0400 Subject: [PATCH 17/18] Import profiles earlier during install Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 --- ipaserver/install/cainstance.py | 5 + ipaserver/install/server/install.py | 3 --- ipaserver/plugins/dogtag.py | 10 +++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -473,6 +473,9 @@ class CAInstance(DogtagInstance): self.step(configure Server-Cert certificate renewal, self.track_servercert) self.step(Configure HTTP to proxy connections, self.http_proxy) +if not self.clone: +self.step(restarting certificate server, self.restart_instance) +self.step(Importing IPA certificate profiles, import_included_profiles) self.start_creation(runtime=210) @@ -1694,6 +1697,7 @@ def import_included_profiles(): ) conn.add_entry(entry) api.Backend.ra_certprofile._read_password() +api.Backend.ra_certprofile.override_port = 8443 with api.Backend.ra_certprofile as profile_api: # import the profile try: @@ -1715,6 +1719,7 @@ def import_included_profiles(): except errors.RemoteRetrieveError: pass +api.Backend.ra_certprofile.override_port = None root_logger.info(Imported profile '%s', profile_id) conn.disconnect() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -906,9 +906,6 @@ def install(options): service.print_msg(Restarting the certificate server) ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) -service.print_msg(Importing certificate profiles) -cainstance.import_included_profiles() - if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e6668bb43b994863a14fdd347635753422ed9388..e60cced1a35df821d900407df2d9b66371c61510 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1973,6 +1973,7 @@ class RestClient(Backend): super(RestClient, self).__init__() # session cookie +self.override_port = None self.cookie = None def _read_password(self): @@ -2007,7 +2008,8 @@ class RestClient(Backend): if self.cookie is not None: return status, status_text, resp_headers, resp_body = dogtag.https_request( -self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login', +self.ca_host, self.override_port or self.env.ca_agent_port, +'/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, method='GET' ) @@ -2020,7 +2022,8 @@ class RestClient(Backend): def __exit__(self, exc_type, exc_value, traceback): Log out of the REST API dogtag.https_request( -self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout', +self.ca_host, self.override_port or self.env.ca_agent_port, +
Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
Is it supposeed to fis this issue? 2015-06-05T12:11:57Z DEBUG File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py, line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File /usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py, line 1273, in module raise SkipPluginModule(reason='dogtag not selected as RA plugin') On 06/05/2015 01:53 PM, Fraser Tweedale wrote: On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: On 05/06/15 11:47, Fraser Tweedale wrote: Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser NACK, sorry ./make-lint * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), RestClient.__enter__] Argument 'method' passed by position and keyword in function call) ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), RestClient.__enter__] Undefined variable 'ca_host') -- Martin Basti Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
On 05/06/15 14:16, Oleg Fayans wrote: Is it supposeed to fis this issue? 2015-06-05T12:11:57Z DEBUG File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py, line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File /usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py, line 1273, in module raise SkipPluginModule(reason='dogtag not selected as RA plugin') No On 06/05/2015 01:53 PM, Fraser Tweedale wrote: On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: On 05/06/15 11:47, Fraser Tweedale wrote: Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser NACK, sorry ./make-lint * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), RestClient.__enter__] Argument 'method' passed by position and keyword in function call) ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), RestClient.__enter__] Undefined variable 'ca_host') -- Martin Basti Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
On 06/05/2015 05:09 PM, Martin Basti wrote: On 05/06/15 14:18, Martin Basti wrote: snip NACK, sorry snip Martin Basti Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser -- Martin Basti ACK 16-1, 17-2, 18-2 pushed to master: * ce33f82cfe528c17d3a1367172bb1475fe169b25 Fix certificate subject base * 8b3bc99a737edb9178e115c188d60d963f73e50c Import profiles earlier during install * 355b6d416d800692f7028e057ff76aab9f8c0470 ipa-pki-proxy: allow certificate and password authentication -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
On 05/06/15 14:18, Martin Basti wrote: On 05/06/15 14:16, Oleg Fayans wrote: Is it supposeed to fis this issue? 2015-06-05T12:11:57Z DEBUG File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py, line 44, in run import ipaserver.plugins.dogtag # ensure profile backend gets loaded File /usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py, line 1273, in module raise SkipPluginModule(reason='dogtag not selected as RA plugin') No On 06/05/2015 01:53 PM, Fraser Tweedale wrote: On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: On 05/06/15 11:47, Fraser Tweedale wrote: Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser NACK, sorry ./make-lint * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg), RestClient.__enter__] Argument 'method' passed by position and keyword in function call) ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable), RestClient.__enter__] Undefined variable 'ca_host') -- Martin Basti Whoops. One wayward comma that should have been a period! Here's an updated 0017..0018. Thanks, Fraser -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Martin Basti ACK 16-1, 17-2, 18-2 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code