Move CRL publish directory to IPA owned directory

Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
This commit is contained in:
Martin Kosek
2012-10-08 15:58:48 +02:00
parent 9bb927eb1c
commit 74ebd0fd75
7 changed files with 146 additions and 24 deletions

View File

@@ -48,7 +48,6 @@ import nss.nss as nss
from ipapython import ipautil
from ipapython import nsslib
from ipapython import services as ipaservices
from ipapython import dogtag
from ipaserver import ipaldap
from ipaserver.install import service
@@ -215,6 +214,23 @@ def get_outputList(data):
return outputdict
def get_crl_files(path=None):
"""
Traverse dogtag's CRL files in default CRL publish directory or in chosen
target directory.
@param path Custom target directory
"""
if path is None:
path = dogtag.configured_constants().CRL_PUBLISH_PATH
files = os.listdir(path)
for f in files:
if f == "MasterCRL.bin":
yield os.path.join(path, f)
elif f.endswith(".der"):
yield os.path.join(path, f)
class CADSInstance(service.Service):
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
@@ -1161,19 +1177,30 @@ class CAInstance(service.Service):
installutils.set_directive(self.dogtag_constants.SIGN_PROFILE,
'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
def prepare_crl_publish_dir(self):
"""
Prepare target directory for CRL publishing
Returns a path to the CRL publishing directory
"""
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
os.chmod(publishdir, 0775)
pent = pwd.getpwnam(PKI_USER)
os.chown(publishdir, 0, pent.pw_gid)
ipaservices.restore_context(publishdir)
return publishdir
def __enable_crl_publish(self):
"""
Enable file-based CRL publishing and disable LDAP publishing.
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html
"""
caconfig = self.dogtag_constants.CS_CFG_PATH
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
pent = pwd.getpwnam(PKI_USER)
os.chown(publishdir, pent.pw_uid, pent.pw_gid)
publishdir = self.prepare_crl_publish_dir()
# Enable file publishing, disable LDAP
installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
@@ -1211,8 +1238,6 @@ class CAInstance(service.Service):
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
quotes=False, separator='=')
ipaservices.restore_context(publishdir)
def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
@@ -1249,6 +1274,12 @@ class CAInstance(service.Service):
installutils.remove_file("/var/lib/certmonger/cas/ca_renewal")
# remove CRL files
root_logger.info("Remove old CRL files")
for f in get_crl_files():
root_logger.debug("Remove %s", f)
installutils.remove_file(f)
def publish_ca_cert(self, location):
args = ["-L", "-n", self.canickname, "-a"]
(cert, err, returncode) = self.__run_certutil(args)