IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-27 09:21:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
125bd09faf
freeipa/ipaserver/install/httpinstance.py

273 lines
11 KiB
Python
Raw Normal View History

First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
Set the license uniformly to GPLv2 only.
2008-02-04 14:15:52 -06:00
# published by the Free Software Foundation; version 2 only
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
More ipautil fixing Recently, dsinstance and krbinstance was fixed to not import * from ipautil; do the same for the rest of ipaserver. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
import os
import os.path
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
import tempfile
import logging
import pwd
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
import shutil
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
import service
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
import certs
import dsinstance
User provided certs.
0000-12-31 18:09:24 -05:50
import installutils
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython import ipautil
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
from ipalib import util
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
Import correct httpinstance.py
0000-12-31 18:09:24 -05:50
NSS_DIR = HTTPD_DIR + "/alias"
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
The web interface may not function correctly until this boolean is
successfully change with the command:
/usr/sbin/setsebool -P httpd_can_network_connect true
Try updating the policycoreutils and selinux-policy packages.
"""
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
class WebGuiInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_webgui")
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
class HTTPInstance(service.Service):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
def __init__(self, fstore = None):
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
service.Service.__init__(self, "httpd")
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, self_signed_ca=False, subject_base=None):
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
self.fqdn = fqdn
self.realm = realm
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
self.domain = domain_name
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.dm_password = dm_password
self.suffix = util.realm_to_suffix(self.realm)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
self.pkcs12_info = pkcs12_info
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.self_signed_ca = self_signed_ca
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
self.dercert = None
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
self.subject_base = subject_base
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.step("Setting mod_nss password file", self.__set_mod_nss_passwordfile)
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
self.step("Adding URL rewriting rules", self.__add_include)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("configuring httpd", self.__configure_http)
self.step("Setting up ssl", self.__setup_ssl)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
if autoconfig:
self.step("Setting up browser autoconfig", self.__setup_autoconfig)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.step("publish CA cert", self.__publish_ca_cert)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.step("creating a keytab for httpd", self.__create_http_keytab)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("configuring SELinux for httpd", self.__selinux_config)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.start_creation("Configuring the web interface")
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
def __start(self):
self.backup_state("running", self.is_running())
self.restart()
def __enable(self):
self.backup_state("enabled", self.is_running())
self.chkconfig_on()
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
def __selinux_config(self):
selinux=0
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
try:
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
if (os.path.exists('/usr/sbin/selinuxenabled')):
More ipautil fixing Recently, dsinstance and krbinstance was fixed to not import * from ipautil; do the same for the rest of ipaserver. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
ipautil.run(["/usr/sbin/selinuxenabled"])
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
selinux=1
Compatibility changes to work on RHEL 5 with python 2.4
2007-11-30 14:53:02 -06:00
except ipautil.CalledProcessError:
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
# selinuxenabled returns 1 if not enabled
pass
if selinux:
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
try:
# returns e.g. "httpd_can_network_connect --> off"
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool",
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
"httpd_can_network_connect"])
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.backup_state("httpd_can_network_connect", stdout.split()[2])
except:
pass
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
# Allow apache to connect to the turbogears web gui
# This can still fail even if selinux is enabled
try:
More ipautil fixing Recently, dsinstance and krbinstance was fixed to not import * from ipautil; do the same for the rest of ipaserver. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
except:
self.print_msg(selinux_warning)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
def __create_http_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
http_principal = "HTTP/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(http_principal)
installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.move_service(http_principal)
self.add_cert_to_service()
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
pent = pwd.getpwnam("apache")
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
def __configure_http(self):
More ipautil fixing Recently, dsinstance and krbinstance was fixed to not import * from ipautil; do the same for the rest of ipaserver. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
http_fd.write(http_txt)
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
http_fd.close()
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
http_fd.write(http_txt)
http_fd.close()
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
def __disable_mod_ssl(self):
if os.path.exists(SSL_CONF):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(SSL_CONF)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
os.unlink(SSL_CONF)
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
def __set_mod_nss_port(self):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(NSS_CONF)
User provided certs.
0000-12-31 18:09:24 -05:50
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
print "Updating port in %s failed." % NSS_CONF
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def __setup_ssl(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if self.self_signed_ca:
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
else:
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
if self.pkcs12_info:
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
server_certs = db.find_server_certs()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if len(server_certs) == 0:
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
db.create_password_conf()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
# We only handle one server cert
nickname = server_certs[0][0]
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.dercert = db.get_cert_from_db(nickname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
self.__set_mod_nss_nickname(nickname)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
else:
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
db.create_password_conf()
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
else:
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
db.create_password_conf()
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
Fix ownership of the Apache NSS cert and key databases. The group "apache" needs to have read access to them so they will work in Fedora 9+.
2008-04-28 14:28:13 -05:00
# Fix the database permissions
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
os.chmod(NSS_DIR + "/cert8.db", 0660)
os.chmod(NSS_DIR + "/key3.db", 0660)
os.chmod(NSS_DIR + "/secmod.db", 0660)
os.chmod(NSS_DIR + "/pwdfile.txt", 0660)
Fix ownership of the Apache NSS cert and key databases. The group "apache" needs to have read access to them so they will work in Fedora 9+.
2008-04-28 14:28:13 -05:00
pent = pwd.getpwnam("apache")
os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
os.chown(NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
ipautil.run(["/sbin/restorecon", NSS_DIR + "/cert8.db"])
ipautil.run(["/sbin/restorecon", NSS_DIR + "/key3.db"])
# In case this got generated as part of the install, reset the
# context
if ipautil.file_exists(certs.CA_SERIALNO):
ipautil.run(["/sbin/restorecon", certs.CA_SERIALNO])
os.chown(certs.CA_SERIALNO, 0, pent.pw_gid)
os.chmod(certs.CA_SERIALNO, 0664)
Fix ownership of the Apache NSS cert and key databases. The group "apache" needs to have read access to them so they will work in Fedora 9+.
2008-04-28 14:28:13 -05:00
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def __setup_autoconfig(self):
More ipautil fixing Recently, dsinstance and krbinstance was fixed to not import * from ipautil; do the same for the rest of ipaserver. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
prefs_fd.write(prefs_txt)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
prefs_fd.close()
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
# The signing cert is generated in __setup_ssl
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
pwdfile = open(db.passwd_fname)
pwd = pwdfile.read()
pwdfile.close()
Use tempfile.mkdtemp() rather than hardcoded tmpdir httpinstance.py currently uses a hardcoded /tmp/ipa temporary directory. Make it use tempfile.mkdtemp() instead. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
db.run_signtool(["-k", "Signing-Cert",
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
"-Z", "/usr/share/ipa/html/configure.jar",
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-e", ".html", "-p", pwd,
Use tempfile.mkdtemp() rather than hardcoded tmpdir httpinstance.py currently uses a hardcoded /tmp/ipa temporary directory. Make it use tempfile.mkdtemp() instead. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
tmpdir])
shutil.rmtree(tmpdir)
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def __publish_ca_cert(self):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
ca_db = certs.CertDB(NSS_DIR)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
def uninstall(self):
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
if self.is_configured():
self.print_msg("Unconfiguring web server")
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
running = self.restore_state("running")
enabled = self.restore_state("enabled")
if not running is None:
self.stop()
if not enabled is None and not enabled:
self.chkconfig_off()
for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
try:
self.fstore.restore_file(f)
except ValueError, error:
logging.debug(error)
pass
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
sebool_state = self.restore_state("httpd_can_network_connect")
if not sebool_state is None:
try:
ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state])
except:
self.print_msg(selinux_warning)
if not running is None and running:
self.start()
Reference in New Issue Copy Permalink