IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.

Browse Source 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-06-13 14:48:12 +02:00 committed by Petr Viktorin
parent 18aa3216e0
commit 1b8a1e5564
1 changed files with 38 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
install/restart_scripts/renew_ca_cert
View File

@ -97,21 +97,47 @@ def main():
syslog.LOG_ERR,
"Updating trust on certificate %s failed in %s" %
(nickname, db.secdir))
elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master():
elif nickname == 'caSigningCert cert-pki-ca':
# Update CS.cfg
cfg_path = configured_constants.CS_CFG_PATH
config = installutils.get_directive(
cfg_path, 'subsystem.select', '=')
if config == 'New':
syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
if x509.is_self_signed(cert, x509.DER):
installutils.set_directive(
cfg_path, 'hierarchy.select', 'Root',
quotes=False, separator='=')
installutils.set_directive(
cfg_path, 'subsystem.count', '1',
quotes=False, separator='=')
else:
installutils.set_directive(
cfg_path, 'hierarchy.select', 'Subordinate',
quotes=False, separator='=')
installutils.set_directive(
cfg_path, 'subsystem.count', '0',
quotes=False, separator='=')
else:
syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
# Update CA certificate in LDAP
try:
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
conn.connect(ccache=ccache)
if ca.is_renewal_master():
try:
certstore.update_ca_cert(conn, api.env.basedn, cert)
except errors.EmptyModlist:
pass
conn = ldap2(shared_instance=False,
ldap_uri=api.env.ldap_uri)
conn.connect(ccache=ccache)
conn.disconnect()
except Exception, e:
syslog.syslog(
syslog.LOG_ERR, "Updating CA certificate failed: %s" % e)
try:
certstore.update_ca_cert(conn, api.env.basedn, cert)
except errors.EmptyModlist:
pass
conn.disconnect()
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
"Updating CA certificate failed: %s" % e)
finally:
shutil.rmtree(tmpdir)