acme: configure engine.conf and disable by default

When deploying ACME set up configsources.conf to retrieve engine configuration from engine.conf. In the initial configuration, the ACME service is disabled (i.e. it will refuse to service requests). A subsequent commit will add command(s) for flipping the ACME service on or off (on a per-server basis). Later we will move to LDAP configuration so that management of the ACME service is deployment-wide. The default configuration also disables issuance of wildcard certificates. Part of: https://pagure.io/freeipa/issue/4751 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-05-28 14:45:44 +10:00 · 2020-05-28 14:45:44 +10:00 · 00a84464ea
commit 00a84464ea
parent d15000bed6
5 changed files with 11 additions and 0 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -101,7 +101,9 @@ dist_app_DATA =				\
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
+	pki-acme-configsources.conf.template	\
 	pki-acme-database.conf.template	\
+	pki-acme-engine.conf.template	\
 	pki-acme-issuer.conf.template	\
 	$(NULL)

--- a/install/share/pki-acme-configsources.conf.template
+++ b/install/share/pki-acme-configsources.conf.template
@ -0,0 +1,2 @@
+engine.class=org.dogtagpki.acme.server.ACMEEngineConfigFileSource
+engine.filename=/etc/pki/pki-tomcat/acme/engine.conf
--- a/install/share/pki-acme-engine.conf.template
+++ b/install/share/pki-acme-engine.conf.template
@ -0,0 +1,2 @@
+enabled=false
+wildcard=false
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -118,7 +118,9 @@ class BasePathNamespace:
    PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt"
    PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
    PKI_TOMCAT_SERVER_XML = "/etc/pki/pki-tomcat/server.xml"
+    PKI_ACME_CONFIGSOURCES_CONF = "/etc/pki/pki-tomcat/acme/configsources.conf"
    PKI_ACME_DATABASE_CONF = "/etc/pki/pki-tomcat/acme/database.conf"
+    PKI_ACME_ENGINE_CONF = "/etc/pki/pki-tomcat/acme/engine.conf"
    PKI_ACME_ISSUER_CONF = "/etc/pki/pki-tomcat/acme/issuer.conf"
    ETC_REDHAT_RELEASE = "/etc/redhat-release"
    RESOLV_CONF = "/etc/resolv.conf"
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -1559,7 +1559,10 @@ class CAInstance(DogtagInstance):

        # write configuration files
        files = [
+            ('pki-acme-configsources.conf.template',
+                paths.PKI_ACME_CONFIGSOURCES_CONF),
            ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
+            ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
            ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
        ]
        sub_dict = dict(