IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Uninstall selfsign CA on upgrade

Browse Source 
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
This commit is contained in:
Petr Viktorin
2013-03-26 18:06:50 +01:00
committed by Rob Crittenden
parent fe00788bb4
commit 4e3c1051d0
4 changed files with 43 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
install/tools/ipa-upgradeconfig
View File

@@ -29,6 +29,7 @@ import os
import shutil import shutil
import pwd import pwd
import fileinput import fileinput
import ConfigParser
from ipalib import api from ipalib import api
import ipalib.util import ipalib.util
@@ -757,6 +758,25 @@ def add_ca_dns_records():
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
def uninstall_selfsign(ds, http):
root_logger.info('[Removing self-signed CA]')
"""Replace self-signed CA by a CA-less install"""
if api.env.ra_plugin != 'selfsign':
root_logger.debug('Self-signed CA is not installed')
return
root_logger.warning(
'Removing self-signed CA. Certificates will need to managed manually.')
p = ConfigParser.SafeConfigParser()
p.read('/etc/ipa/default.conf')
p.set('global', 'enable_ra', 'False')
p.set('global', 'ra_plugin', 'none')
with open('/etc/ipa/default.conf', 'w') as f:
p.write(f)
ds.stop_tracking_certificates()
http.stop_tracking_certificates()
def main(): def main():
""" """
Get some basics about the system. If getting those basics fail then Get some basics about the system. If getting those basics fail then
@@ -834,6 +854,10 @@ def main():
http.remove_httpd_ccache() http.remove_httpd_ccache()
http.configure_selinux_for_httpd() http.configure_selinux_for_httpd()
ds = dsinstance.DsInstance()
uninstall_selfsign(ds, http)
memcache = memcacheinstance.MemcacheInstance() memcache = memcacheinstance.MemcacheInstance()
memcache.ldapi = True memcache.ldapi = True
memcache.realm = api.env.realm memcache.realm = api.env.realm
@@ -841,7 +865,6 @@ def main():
if not memcache.is_configured(): if not memcache.is_configured():
# 389-ds needs to be running to create the memcache instance # 389-ds needs to be running to create the memcache instance
# because we record the new service in cn=masters. # because we record the new service in cn=masters.
ds = dsinstance.DsInstance()
ds.start() ds.start()
memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm)) memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
except ipalib.errors.DuplicateEntry: except ipalib.errors.DuplicateEntry:

16
ipaserver/install/dsinstance.py
View File

@@ -709,11 +709,7 @@ class DsInstance(service.Service):
serverid = self.restore_state("serverid") serverid = self.restore_state("serverid")
if not serverid is None: if not serverid is None:
# drop the trailing / off the config_dirname so the directory self.stop_tracking_certificates(serverid)
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
dsdb.untrack_server_cert(self.nickname)
erase_ds_instance_data(serverid) erase_ds_instance_data(serverid)
# At one time we removed this user on uninstall. That can potentially # At one time we removed this user on uninstall. That can potentially
@@ -735,6 +731,16 @@ class DsInstance(service.Service):
except Exception, e: except Exception, e:
root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e) root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
def stop_tracking_certificates(self, serverid=None):
if serverid is None:
serverid = self.get_state("serverid")
if not serverid is None:
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
dsdb.untrack_server_cert(self.nickname)
# we could probably move this function into the service.Service # we could probably move this function into the service.Service
# class - it's very generic - all we need is a way to get an # class - it's very generic - all we need is a way to get an
# instance of a particular Service # instance of a particular Service

7
ipaserver/install/httpinstance.py
View File

@@ -376,8 +376,7 @@ class HTTPInstance(service.Service):
if not running is None: if not running is None:
self.stop() self.stop()
db = certs.CertDB(api.env.realm) self.stop_tracking_certificates()
db.untrack_server_cert(self.cert_nickname)
if not enabled is None and not enabled: if not enabled is None and not enabled:
self.disable() self.disable()
@@ -404,3 +403,7 @@ class HTTPInstance(service.Service):
if not running is None and running: if not running is None and running:
self.start() self.start()
def stop_tracking_certificates(self):
db = certs.CertDB(api.env.realm)
db.untrack_server_cert(self.cert_nickname)

3
ipaserver/install/service.py
View File

@@ -292,6 +292,9 @@ class Service(object):
def restore_state(self, key): def restore_state(self, key):
return self.sstore.restore_state(self.service_name, key) return self.sstore.restore_state(self.service_name, key)
def get_state(self, key):
return self.sstore.get_state(self.service_name, key)
def print_msg(self, message): def print_msg(self, message):
print_msg(message, self.output_fd) print_msg(message, self.output_fd)