Use certmonger D-Bus API to configure certmonger in CA install.

Before, certmonger was configured by modifying its internal database directly.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
Jan Cholasta 2013-10-15 20:49:07 +02:00 committed by Petr Viktorin
parent def727ce56
commit 57f0be7b5d
4 changed files with 25 additions and 22 deletions

View File

@ -136,6 +136,7 @@ Requires: python-pyasn1
Requires: python-qrcode
Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
@ -720,7 +721,6 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%{_usr}/share/ipa/ca_renewal
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf

View File

@ -2,7 +2,6 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ca_renewal \
ipa.conf \
ipa-pki-proxy.conf \
ipa-rewrite.conf \

View File

@ -1,6 +0,0 @@
# A separate helper for fetching dogtag certificates that are renewed on
# another system.
id=dogtag-ipa-retrieve-agent-submit
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit

View File

@ -36,6 +36,7 @@ import xml.dom.minidom
import stat
import syslog
import ConfigParser
import dbus
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
@ -1347,7 +1348,19 @@ class CAInstance(service.Service):
# cause files to have a new owner.
user_exists = self.restore_state("user_exists")
installutils.remove_file("/var/lib/certmonger/cas/ca_renewal")
ipaservices.knownservices.messagebus.start()
cmonger = ipaservices.knownservices.certmonger
cmonger.start()
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
if path:
iface.remove_known_ca(path)
cmonger.stop()
# remove CRL files
root_logger.info("Remove old CRL files")
@ -1438,24 +1451,21 @@ class CAInstance(service.Service):
Create a new CA type for certmonger that will retrieve updated
certificates from the dogtag master server.
"""
target_fname = '/var/lib/certmonger/cas/ca_renewal'
if ipautil.file_exists(target_fname):
# This CA can be configured either during initial CA installation
# if the replica is created with --setup-ca or when Apache is
# being configured if not.
return
txt = ipautil.template_file(ipautil.SHARE_DIR + "ca_renewal", dict())
fd = open(target_fname, "w")
fd.write(txt)
fd.close()
os.chmod(target_fname, 0600)
ipaservices.restore_context(target_fname)
cmonger = ipaservices.knownservices.certmonger
cmonger.enable()
ipaservices.knownservices.messagebus.start()
cmonger.restart()
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
if not path:
iface.add_known_ca(
'dogtag-ipa-retrieve-agent-submit',
'/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', [])
def configure_clone_renewal(self):
"""
The actual renewal is done on the master. On the clone side we