Re-arrange CA configuration code to reduce the number of restarts.

Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.

https://fedorahosted.org/freeipa/ticket/1555

install/tools/ipa-ca-install

@@ -144,9 +144,6 @@ def main():
     cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
     cs.add_cert_to_service()
 
-    service.print_msg("Setting the certificate subject base")
-    CA.set_subject_in_config(util.realm_to_suffix(config.realm_name))
-
 try:
     if not os.geteuid()==0:
         sys.exit("\nYou must be root to run this script.\n")

install/tools/ipa-replica-install

@@ -433,9 +433,6 @@ def main():
         CA.import_ra_cert(dir + "/ra.p12")
         CA.fix_ra_perms()
         service.restart("httpd")
-        if config.setup_ca:
-            service.print_msg("Setting the certificate subject base")
-            CA.set_subject_in_config(util.realm_to_suffix(config.realm_name))
 
     # The DS instance is created before the keytab, add the SSL cert we
     # generated

install/tools/ipa-server-install

@@ -900,9 +900,6 @@ def main():
     ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
 
     set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
-    if not options.selfsign:
-        service.print_msg("Setting the certificate subject base")
-        ca.set_subject_in_config(util.realm_to_suffix(realm_name))
 
     # Apply any LDAP updates. Needs to be done after the configuration file
     # is created

ipaserver/install/cainstance.py

@@ -517,8 +517,8 @@ class CAInstance(service.Service):
         self.step("creating certificate server user", self.__create_ca_user)
         if not ipautil.dir_exists("/var/lib/pki-ca"):
             self.step("creating pki-ca instance", self.create_instance)
-        self.step("restarting certificate server", self.__restart_instance)
         self.step("configuring certificate server instance", self.__configure_instance)
+        self.step("disabling nonces", self.__disable_nonce)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
@@ -527,20 +527,18 @@ class CAInstance(service.Service):
             if self.create_ra_agent_db:
                 self.step("creating RA agent certificate database", self.__create_ra_agent_db)
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
+            self.step("fixing RA database permissions", self.fix_ra_perms)
+            self.step("setting up signing cert profile", self.__setup_sign_profile)
+            self.step("set up CRL publishing", self.__enable_crl_publish)
+            self.step("set certificate subject base", self.__set_subject_in_config)
+            self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
                 self.step("restarting certificate server", self.__restart_instance)
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
-            self.step("fixing RA database permissions", self.fix_ra_perms)
-            self.step("setting up signing cert profile", self.__setup_sign_profile)
-            self.step("set up CRL publishing", self.__enable_crl_publish)
-            self.step("configuring certificate server to start on boot", self.__enable)
-            if not self.clone:
-                # A clone will be restarted in ipa-replica-install
-                self.step("restarting certificate server", self.__restart_instance)
 
-        self.start_creation("Configuring certificate server", 360)
+        self.start_creation("Configuring certificate server", 210)
 
     def create_instance(self):
         """
@@ -686,34 +684,11 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
 
-        # Turn off Nonces (again)
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
         # pkisilent makes a copy of the CA PKCS#12 file for us but gives
         # it a lousy name.
         if ipautil.file_exists("/root/tmp-ca.p12"):
             shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
 
-        try:
-            # After configuration the service is running and configured
-            # but must be restarted for configuration to take effect.
-            # The service status in this case will be 4.
-            self.__restart_instance()
-        except ipautil.CalledProcessError, e:
-            logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
-            raise RuntimeError('Restarting CA after pkisilent configuration failed')
-
-        # If the configuration was successful status should now be 0.
-        # We don't call is_running() because we want the exit status for debugging.
-        try:
-            ipautil.run(["/sbin/service", self.service_name, "status", PKI_INSTANCE_NAME])
-        except ipautil.CalledProcessError, e:
-            logging.critical("ca instance configuration not successful after restart %s" % e)
-            raise RuntimeError('CA configuration not successful after restart')
-
         logging.debug("completed creating ca instance")
 
     def __restart_instance(self):
@@ -724,6 +699,13 @@ class CAInstance(service.Service):
             # TODO: roll back here?
             logging.critical("Failed to restart the certificate server. See the installation log for details.")
 
+    def __disable_nonce(self):
+        # Turn off Nonces
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
         (admin_fd, admin_name) = tempfile.mkstemp()
@@ -1060,13 +1042,11 @@ class CAInstance(service.Service):
 
         ipautil.run(["/sbin/restorecon", publishdir])
 
-    def set_subject_in_config(self, suffix):
+    def __set_subject_in_config(self):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject
         if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
             print "Updating subject_base in CA template failed"
-        self.print_msg("restarting certificate server")
-        self.__restart_instance()
 
     def uninstall(self):
         if self.is_configured():

ipaserver/install/service.py

@@ -258,7 +258,10 @@ class Service(object):
             if est.tm_min > 0:
                 if est.tm_min > 1:
                     plural = 's'
-                self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
+                if est.tm_sec > 0:
+                    self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec))
+                else:
+                    self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
             else:
                 if est.tm_sec > 1:
                     plural = 's'