IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Configure the initial CA as the CRL generator.

Browse Source 
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.

https://fedorahosted.org/freeipa/ticket/3051
This commit is contained in:
Rob Crittenden
2012-10-09 10:40:20 -04:00
parent 1dd103bc8c
commit 392097f206
3 changed files with 30 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
install/conf/ipa-pki-proxy.conf
View File

@@ -3,7 +3,7 @@
ProxyRequests Off ProxyRequests Off
# matches for ee port # matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none NSSVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -25,3 +25,6 @@ ProxyRequests Off
ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch> </LocationMatch>
# Only enable this on servers that are not generating a CRL
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

9
install/tools/ipa-upgradeconfig
View File

@@ -603,13 +603,20 @@ def main():
AUTOREDIR='' if auto_redirect else '#', AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
DOGTAG_PORT=configured_constants.AJP_PORT, DOGTAG_PORT=configured_constants.AJP_PORT,
CLONE='#'
) )
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
# migrate CRL publish dir before the location in ipa.conf is updated # migrate CRL publish dir before the location in ipa.conf is updated
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
ca_restart = migrate_crl_publish_dir(ca) ca_restart = migrate_crl_publish_dir(ca)
if ca.is_configured():
crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
'ca.crl.MasterCRL.enableCRLUpdates',
'=')
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)

19
ipaserver/install/cainstance.py
View File

@@ -1239,6 +1239,19 @@ class CAInstance(service.Service):
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
quotes=False, separator='=') quotes=False, separator='=')
# If we are the initial master then we are the CRL generator, otherwise
# we point to that master for CRLs.
if not self.clone:
# These next two are defaults, but I want to be explicit that the
# initial master is the CRL generator.
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
else:
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
def __set_subject_in_config(self): def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject # dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject # format. We need to update that template with our base subject
@@ -1291,7 +1304,11 @@ class CAInstance(service.Service):
def __http_proxy(self): def __http_proxy(self):
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT) sub_dict = dict(
DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
)
template = ipautil.template_file(template_filename, sub_dict) template = ipautil.template_file(template_filename, sub_dict)
with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd: with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
fd.write(template) fd.write(template)