Fix HTTPD SSL configuration for Debian.

The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Timo Aaltonen 2018-05-21 13:46:42 +03:00 committed by Christian Heimes
parent ffdb20aeb3
commit 8c0d7bb92f
7 changed files with 28 additions and 13 deletions

View File

@ -51,6 +51,7 @@ class BasePathNamespace(object):
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf" HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf" HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
HTTPD_SSL_SITE_CONF = "/etc/httpd/conf.d/ssl.conf"
HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt" HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
HTTPD_KEY_FILE = "/var/lib/ipa/private/httpd.key" HTTPD_KEY_FILE = "/var/lib/ipa/private/httpd.key"
HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA" HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"

View File

@ -240,5 +240,8 @@ class BaseTaskNamespace(object):
except ipautil.CalledProcessError as e: except ipautil.CalledProcessError as e:
logger.debug('Failed to add user to group: %s', e) logger.debug('Failed to add user to group: %s', e)
def setup_httpd_logging(self):
raise NotImplementedError()
tasks = BaseTaskNamespace() tasks = BaseTaskNamespace()

View File

@ -28,6 +28,8 @@ class DebianPathNamespace(BasePathNamespace):
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
HTTPD_SSL_CONF = "/etc/apache2/mods-available/ssl.conf"
HTTPD_SSL_SITE_CONF = "/etc/apache2/sites-available/default-ssl.conf"
OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab" OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
NAMED_CONF = "/etc/bind/named.conf" NAMED_CONF = "/etc/bind/named.conf"

View File

@ -18,7 +18,6 @@ class DebianTaskNamespace(RedHatTaskNamespace):
def restore_pre_ipa_client_configuration(fstore, statestore, def restore_pre_ipa_client_configuration(fstore, statestore,
was_sssd_installed, was_sssd_installed,
was_sssd_configured): was_sssd_configured):
ret = True
try: try:
ipautil.run(["pam-auth-update", ipautil.run(["pam-auth-update",
"--package", "--remove", "mkhomedir"]) "--package", "--remove", "mkhomedir"])
@ -66,5 +65,9 @@ class DebianTaskNamespace(RedHatTaskNamespace):
# Debian doesn't require special mod_wsgi configuration # Debian doesn't require special mod_wsgi configuration
pass pass
def setup_httpd_logging(self):
# Debian handles httpd logging differently
pass
tasks = DebianTaskNamespace() tasks = DebianTaskNamespace()

View File

@ -47,6 +47,7 @@ from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaplatform.redhat.authconfig import get_auth_tool from ipaplatform.redhat.authconfig import get_auth_tool
from ipaplatform.base.tasks import BaseTaskNamespace from ipaplatform.base.tasks import BaseTaskNamespace
from ipaserver.install import installutils
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -565,5 +566,13 @@ class RedHatTaskNamespace(BaseTaskNamespace):
pass pass
return False return False
def setup_httpd_logging(self):
installutils.set_directive(paths.HTTPD_SSL_CONF,
'ErrorLog',
'logs/error_log', False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'TransferLog',
'logs/access_log', False)
tasks = RedHatTaskNamespace() tasks = RedHatTaskNamespace()

View File

@ -214,6 +214,7 @@ class HTTPInstance(service.Service):
def backup_ssl_conf(self): def backup_ssl_conf(self):
self.fstore.backup_file(paths.HTTPD_SSL_CONF) self.fstore.backup_file(paths.HTTPD_SSL_CONF)
self.fstore.backup_file(paths.HTTPD_SSL_SITE_CONF)
def disable_nss_conf(self): def disable_nss_conf(self):
""" """
@ -235,12 +236,7 @@ class HTTPInstance(service.Service):
'+TLSv1 +TLSv1.1 +TLSv1.2', False) '+TLSv1 +TLSv1.1 +TLSv1.2', False)
def set_mod_ssl_logdir(self): def set_mod_ssl_logdir(self):
installutils.set_directive(paths.HTTPD_SSL_CONF, tasks.setup_httpd_logging()
'ErrorLog',
'logs/error_log', False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'TransferLog',
'logs/access_log', False)
def disable_mod_ssl_ocsp(self): def disable_mod_ssl_ocsp(self):
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None: if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
@ -272,14 +268,14 @@ class HTTPInstance(service.Service):
def __add_include(self): def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up""" """This should run after __set_mod_nss_port so is already backed up"""
if installutils.update_file(paths.HTTPD_SSL_CONF, if installutils.update_file(paths.HTTPD_SSL_SITE_CONF,
'</VirtualHost>', '</VirtualHost>',
'Include {path}\n' 'Include {path}\n'
'</VirtualHost>'.format( '</VirtualHost>'.format(
path=paths.HTTPD_IPA_REWRITE_CONF) path=paths.HTTPD_IPA_REWRITE_CONF)
) != 0: ) != 0:
self.print_msg("Adding Include conf.d/ipa-rewrite to " self.print_msg("Adding Include conf.d/ipa-rewrite to "
"%s failed." % paths.HTTPD_SSL_CONF) "%s failed." % paths.HTTPD_SSL_SITE_CONF)
def configure_certmonger_renewal_guard(self): def configure_certmonger_renewal_guard(self):
certmonger = services.knownservices.certmonger certmonger = services.knownservices.certmonger
@ -404,10 +400,10 @@ class HTTPInstance(service.Service):
def configure_mod_ssl_certs(self): def configure_mod_ssl_certs(self):
"""Configure the mod_ssl certificate directives""" """Configure the mod_ssl certificate directives"""
installutils.set_directive(paths.HTTPD_SSL_CONF, installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
'SSLCertificateFile', 'SSLCertificateFile',
paths.HTTPD_CERT_FILE, False) paths.HTTPD_CERT_FILE, False)
installutils.set_directive(paths.HTTPD_SSL_CONF, installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
'SSLCertificateKeyFile', 'SSLCertificateKeyFile',
paths.HTTPD_KEY_FILE, False) paths.HTTPD_KEY_FILE, False)
installutils.set_directive( installutils.set_directive(
@ -415,7 +411,7 @@ class HTTPInstance(service.Service):
'SSLPassPhraseDialog', 'SSLPassPhraseDialog',
'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER), 'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
False) False)
installutils.set_directive(paths.HTTPD_SSL_CONF, installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
'SSLCACertificateFile', 'SSLCACertificateFile',
paths.IPA_CA_CRT, False) paths.IPA_CA_CRT, False)
# set SSLVerifyDepth for external CA installations # set SSLVerifyDepth for external CA installations
@ -512,7 +508,7 @@ class HTTPInstance(service.Service):
'external-helper', helper) 'external-helper', helper)
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
paths.HTTPD_NSS_CONF]: paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]:
try: try:
self.fstore.restore_file(f) self.fstore.restore_file(f)
except ValueError as error: except ValueError as error:

View File

@ -148,6 +148,7 @@ class Backup(admintool.AdminTool):
paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF,
paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_IPA_REWRITE_CONF,
paths.HTTPD_SSL_CONF, paths.HTTPD_SSL_CONF,
paths.HTTPD_SSL_SITE_CONF,
paths.HTTPD_CERT_FILE, paths.HTTPD_CERT_FILE,
paths.HTTPD_KEY_FILE, paths.HTTPD_KEY_FILE,
paths.HTTPD_IPA_CONF, paths.HTTPD_IPA_CONF,