Uninstall selfsign CA on upgrade

This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
2025-02-25 18:55:28 -06:00 · 2013-03-26 18:06:50 +01:00 · 2013-03-26 18:06:50 +01:00 · 4e3c1051d0
commit 4e3c1051d0
parent fe00788bb4
4 changed files with 43 additions and 8 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -29,6 +29,7 @@ import os
 import shutil
 import pwd
 import fileinput
+import ConfigParser

 from ipalib import api
 import ipalib.util
@ -757,6 +758,25 @@ def add_ca_dns_records():

    sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)

+def uninstall_selfsign(ds, http):
+    root_logger.info('[Removing self-signed CA]')
+    """Replace self-signed CA by a CA-less install"""
+    if api.env.ra_plugin != 'selfsign':
+        root_logger.debug('Self-signed CA is not installed')
+        return
+
+    root_logger.warning(
+        'Removing self-signed CA. Certificates will need to managed manually.')
+    p = ConfigParser.SafeConfigParser()
+    p.read('/etc/ipa/default.conf')
+    p.set('global', 'enable_ra', 'False')
+    p.set('global', 'ra_plugin', 'none')
+    with open('/etc/ipa/default.conf', 'w') as f:
+        p.write(f)
+
+    ds.stop_tracking_certificates()
+    http.stop_tracking_certificates()
+
 def main():
    """
    Get some basics about the system. If getting those basics fail then
@ -834,6 +854,10 @@ def main():
    http.remove_httpd_ccache()
    http.configure_selinux_for_httpd()

+    ds = dsinstance.DsInstance()
+
+    uninstall_selfsign(ds, http)
+
    memcache = memcacheinstance.MemcacheInstance()
    memcache.ldapi = True
    memcache.realm = api.env.realm
@ -841,7 +865,6 @@ def main():
        if not memcache.is_configured():
            # 389-ds needs to be running to create the memcache instance
            # because we record the new service in cn=masters.
-            ds = dsinstance.DsInstance()
            ds.start()
            memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
    except ipalib.errors.DuplicateEntry:
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -709,11 +709,7 @@ class DsInstance(service.Service):

        serverid = self.restore_state("serverid")
        if not serverid is None:
-            # drop the trailing / off the config_dirname so the directory
-            # will match what is in certmonger
-            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
-            dsdb.untrack_server_cert(self.nickname)
+            self.stop_tracking_certificates(serverid)
            erase_ds_instance_data(serverid)

        # At one time we removed this user on uninstall. That can potentially
@ -735,6 +731,16 @@ class DsInstance(service.Service):
            except Exception, e:
                root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)

+    def stop_tracking_certificates(self, serverid=None):
+        if serverid is None:
+            serverid = self.get_state("serverid")
+        if not serverid is None:
+            # drop the trailing / off the config_dirname so the directory
+            # will match what is in certmonger
+            dirname = config_dirname(serverid)[:-1]
+            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
+            dsdb.untrack_server_cert(self.nickname)
+
    # we could probably move this function into the service.Service
    # class - it's very generic - all we need is a way to get an
    # instance of a particular Service
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -376,8 +376,7 @@ class HTTPInstance(service.Service):
        if not running is None:
            self.stop()

-        db = certs.CertDB(api.env.realm)
-        db.untrack_server_cert(self.cert_nickname)
+        self.stop_tracking_certificates()
        if not enabled is None and not enabled:
            self.disable()

@ -404,3 +403,7 @@ class HTTPInstance(service.Service):

        if not running is None and running:
            self.start()
+
+    def stop_tracking_certificates(self):
+        db = certs.CertDB(api.env.realm)
+        db.untrack_server_cert(self.cert_nickname)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -292,6 +292,9 @@ class Service(object):
    def restore_state(self, key):
        return self.sstore.restore_state(self.service_name, key)

+    def get_state(self, key):
+        return self.sstore.get_state(self.service_name, key)
+
    def print_msg(self, message):
        print_msg(message, self.output_fd)