mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Use certmonger D-Bus API to configure certmonger in CA install.
Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
parent
def727ce56
commit
57f0be7b5d
@ -136,6 +136,7 @@ Requires: python-pyasn1
|
||||
Requires: python-qrcode
|
||||
Requires: memcached
|
||||
Requires: python-memcached
|
||||
Requires: dbus-python
|
||||
Requires: systemd-units >= 38
|
||||
Requires(pre): systemd-units
|
||||
Requires(post): systemd-units
|
||||
@ -720,7 +721,6 @@ fi
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||||
%{_usr}/share/ipa/ca_renewal
|
||||
%{_usr}/share/ipa/ipa.conf
|
||||
%{_usr}/share/ipa/ipa-rewrite.conf
|
||||
%{_usr}/share/ipa/ipa-pki-proxy.conf
|
||||
|
@ -2,7 +2,6 @@ NULL =
|
||||
|
||||
appdir = $(IPA_DATA_DIR)
|
||||
app_DATA = \
|
||||
ca_renewal \
|
||||
ipa.conf \
|
||||
ipa-pki-proxy.conf \
|
||||
ipa-rewrite.conf \
|
||||
|
@ -1,6 +0,0 @@
|
||||
# A separate helper for fetching dogtag certificates that are renewed on
|
||||
# another system.
|
||||
id=dogtag-ipa-retrieve-agent-submit
|
||||
ca_is_default=0
|
||||
ca_type=EXTERNAL
|
||||
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
|
@ -36,6 +36,7 @@ import xml.dom.minidom
|
||||
import stat
|
||||
import syslog
|
||||
import ConfigParser
|
||||
import dbus
|
||||
|
||||
from ipapython import dogtag
|
||||
from ipapython.certdb import get_ca_nickname
|
||||
@ -1347,7 +1348,19 @@ class CAInstance(service.Service):
|
||||
# cause files to have a new owner.
|
||||
user_exists = self.restore_state("user_exists")
|
||||
|
||||
installutils.remove_file("/var/lib/certmonger/cas/ca_renewal")
|
||||
ipaservices.knownservices.messagebus.start()
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
cmonger.start()
|
||||
|
||||
bus = dbus.SystemBus()
|
||||
obj = bus.get_object('org.fedorahosted.certmonger',
|
||||
'/org/fedorahosted/certmonger')
|
||||
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
||||
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
|
||||
if path:
|
||||
iface.remove_known_ca(path)
|
||||
|
||||
cmonger.stop()
|
||||
|
||||
# remove CRL files
|
||||
root_logger.info("Remove old CRL files")
|
||||
@ -1438,24 +1451,21 @@ class CAInstance(service.Service):
|
||||
Create a new CA type for certmonger that will retrieve updated
|
||||
certificates from the dogtag master server.
|
||||
"""
|
||||
target_fname = '/var/lib/certmonger/cas/ca_renewal'
|
||||
if ipautil.file_exists(target_fname):
|
||||
# This CA can be configured either during initial CA installation
|
||||
# if the replica is created with --setup-ca or when Apache is
|
||||
# being configured if not.
|
||||
return
|
||||
txt = ipautil.template_file(ipautil.SHARE_DIR + "ca_renewal", dict())
|
||||
fd = open(target_fname, "w")
|
||||
fd.write(txt)
|
||||
fd.close()
|
||||
os.chmod(target_fname, 0600)
|
||||
ipaservices.restore_context(target_fname)
|
||||
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
cmonger.enable()
|
||||
ipaservices.knownservices.messagebus.start()
|
||||
cmonger.restart()
|
||||
|
||||
bus = dbus.SystemBus()
|
||||
obj = bus.get_object('org.fedorahosted.certmonger',
|
||||
'/org/fedorahosted/certmonger')
|
||||
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
||||
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
|
||||
if not path:
|
||||
iface.add_known_ca(
|
||||
'dogtag-ipa-retrieve-agent-submit',
|
||||
'/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', [])
|
||||
|
||||
def configure_clone_renewal(self):
|
||||
"""
|
||||
The actual renewal is done on the master. On the clone side we
|
||||
|
Loading…
Reference in New Issue
Block a user