Set default OCSP URI on install and upgrade

Dogtag has been updated to support a default OCSP URI when the profile includes AuthInfoAccess with URI method but does not specify the URI (instead of constructing one based on Dogtag's hostname and port). Add the pkispawn config to ensure that the OCSP URI is set before issuing CA and system certificates, and add the config to existing CA instances on upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/5956 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-27 15:49:30 +10:00
parent 5693d19550
commit 45daffa22f
3 changed files with 30 additions and 3 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -460,6 +460,10 @@ class CAInstance(DogtagInstance):
        config.set("CA", "pki_backup_keys", "True")
        config.set("CA", "pki_backup_password", self.admin_password)
        config.set("CA", "pki_profiles_in_ldap", "True")
+        config.set("CA", "pki_default_ocsp_uri",
+            "http://{}.{}/ca/ocsp".format(
+                ipalib.constants.IPA_CA_RECORD,
+                ipautil.format_netloc(api.env.domain)))

        # Client security database
        config.set("CA", "pki_client_database_dir", self.agent_db)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -356,6 +356,28 @@ def ca_ensure_lightweight_cas_container(ca):
    return cainstance.ensure_lightweight_cas_container()


+def ca_add_default_ocsp_uri(ca):
+    root_logger.info('[Adding default OCSP URI configuration]')
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    value = installutils.get_directive(
+        paths.CA_CS_CFG_PATH,
+        'ca.defaultOcspUri',
+        separator='=')
+    if value:
+        return False  # already set; restart not needed
+
+    installutils.set_directive(
+        paths.CA_CS_CFG_PATH,
+        'ca.defaultOcspUri',
+        'http://ipa-ca.%s/ca/ocsp' % ipautil.format_netloc(api.env.domain),
+        quotes=False,
+        separator='=')
+    return True  # restart needed
+
+
 def upgrade_ca_audit_cert_validity(ca):
    """
    Update the Dogtag audit signing certificate.
@@ -1725,6 +1747,7 @@ def upgrade_configuration():
        ca_enable_pkix(ca),
        ca_configure_profiles_acl(ca),
        ca_configure_lightweight_ca_acls(ca),
+        ca_add_default_ocsp_uri(ca),
    ])

    if ca_restart: