ipa-client-install: Do not request host certificate if server is CA-less

https://fedorahosted.org/freeipa/ticket/3536
2025-02-25 18:55:28 -06:00 · 2013-03-28 17:41:05 +01:00 · 2013-03-28 17:41:05 +01:00 · 67c7bd3060
commit 67c7bd3060
parent a4b88cad11
1 changed files with 37 additions and 10 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -693,6 +693,20 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):

    return 0

+
+def disable_ra():
+    """Set the enable_ra option in /etc/ipa/default.conf to False
+
+    Note that api.env will retain the old value (it is readonly).
+    """
+    parser = RawConfigParser()
+    parser.read('/etc/ipa/default.conf')
+    parser.set('global', 'enable_ra', 'False')
+    fp = open('/etc/ipa/default.conf', 'w')
+    parser.write(fp)
+    fp.close()
+
+
 def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files):
    ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
    ldapconf.setOptionAssignment(" ")
@ -894,7 +908,8 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,

    return 0

-def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+                         remote_env):
    started = True
    principal = 'host/%s@%s' % (hostname, cli_realm)

@ -940,14 +955,21 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
            "Automatic certificate management will not be available")

    # Request our host cert
-    if started:
-        client_nss_nickname = client_nss_nickname_format % hostname
-        subject = DN(('CN', hostname), subject_base)
-        try:
-            run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname, "-N", str(subject), "-K", principal])
-        except Exception:
-            root_logger.error(
-                "%s request for host certificate failed", cmonger.service_name)
+    if remote_env['enable_ra']:
+        if started:
+            client_nss_nickname = client_nss_nickname_format % hostname
+            subject = DN(('CN', hostname), subject_base)
+            try:
+                run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb",
+                     "-n", client_nss_nickname, "-N", str(subject),
+                     "-K", principal])
+            except Exception:
+                root_logger.error("%s request for host certificate failed",
+                                  cmonger.service_name)
+    else:
+        root_logger.warning(
+            "A RA is not configured on the server. "
+            "Not requesting host certificate.")

 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
    try:
@ -2217,9 +2239,14 @@ def install(options, env, fstore, statestore):
            'Cannot connect to the server due to generic error: %s', str(e))
        return CLIENT_INSTALL_ERROR

+    remote_env = api.Command['env'](server=True)['result']
+    if not remote_env['enable_ra']:
+        disable_ra()
+
    if not options.on_master:
        client_dns(cli_server[0], hostname, options.dns_updates)
-        configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
+        configure_certmonger(fstore, subject_base, cli_realm, hostname,
+                             options, remote_env)

    update_ssh_keys(cli_server[0], hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp)