mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs to match that. Fixes: https://pagure.io/freeipa/issue/7554 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
ffdb20aeb3
commit
8c0d7bb92f
@ -51,6 +51,7 @@ class BasePathNamespace(object):
|
|||||||
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
|
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
|
||||||
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
|
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
|
||||||
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
|
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
|
||||||
|
HTTPD_SSL_SITE_CONF = "/etc/httpd/conf.d/ssl.conf"
|
||||||
HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
|
HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
|
||||||
HTTPD_KEY_FILE = "/var/lib/ipa/private/httpd.key"
|
HTTPD_KEY_FILE = "/var/lib/ipa/private/httpd.key"
|
||||||
HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"
|
HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"
|
||||||
|
@ -240,5 +240,8 @@ class BaseTaskNamespace(object):
|
|||||||
except ipautil.CalledProcessError as e:
|
except ipautil.CalledProcessError as e:
|
||||||
logger.debug('Failed to add user to group: %s', e)
|
logger.debug('Failed to add user to group: %s', e)
|
||||||
|
|
||||||
|
def setup_httpd_logging(self):
|
||||||
|
raise NotImplementedError()
|
||||||
|
|
||||||
|
|
||||||
tasks = BaseTaskNamespace()
|
tasks = BaseTaskNamespace()
|
||||||
|
@ -28,6 +28,8 @@ class DebianPathNamespace(BasePathNamespace):
|
|||||||
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
|
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
|
||||||
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
|
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
|
||||||
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
|
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
|
||||||
|
HTTPD_SSL_CONF = "/etc/apache2/mods-available/ssl.conf"
|
||||||
|
HTTPD_SSL_SITE_CONF = "/etc/apache2/sites-available/default-ssl.conf"
|
||||||
OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
|
OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
|
||||||
HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
|
HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
|
||||||
NAMED_CONF = "/etc/bind/named.conf"
|
NAMED_CONF = "/etc/bind/named.conf"
|
||||||
|
@ -18,7 +18,6 @@ class DebianTaskNamespace(RedHatTaskNamespace):
|
|||||||
def restore_pre_ipa_client_configuration(fstore, statestore,
|
def restore_pre_ipa_client_configuration(fstore, statestore,
|
||||||
was_sssd_installed,
|
was_sssd_installed,
|
||||||
was_sssd_configured):
|
was_sssd_configured):
|
||||||
ret = True
|
|
||||||
try:
|
try:
|
||||||
ipautil.run(["pam-auth-update",
|
ipautil.run(["pam-auth-update",
|
||||||
"--package", "--remove", "mkhomedir"])
|
"--package", "--remove", "mkhomedir"])
|
||||||
@ -66,5 +65,9 @@ class DebianTaskNamespace(RedHatTaskNamespace):
|
|||||||
# Debian doesn't require special mod_wsgi configuration
|
# Debian doesn't require special mod_wsgi configuration
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
def setup_httpd_logging(self):
|
||||||
|
# Debian handles httpd logging differently
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
tasks = DebianTaskNamespace()
|
tasks = DebianTaskNamespace()
|
||||||
|
@ -47,6 +47,7 @@ from ipaplatform.constants import constants
|
|||||||
from ipaplatform.paths import paths
|
from ipaplatform.paths import paths
|
||||||
from ipaplatform.redhat.authconfig import get_auth_tool
|
from ipaplatform.redhat.authconfig import get_auth_tool
|
||||||
from ipaplatform.base.tasks import BaseTaskNamespace
|
from ipaplatform.base.tasks import BaseTaskNamespace
|
||||||
|
from ipaserver.install import installutils
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
@ -565,5 +566,13 @@ class RedHatTaskNamespace(BaseTaskNamespace):
|
|||||||
pass
|
pass
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
def setup_httpd_logging(self):
|
||||||
|
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
||||||
|
'ErrorLog',
|
||||||
|
'logs/error_log', False)
|
||||||
|
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
||||||
|
'TransferLog',
|
||||||
|
'logs/access_log', False)
|
||||||
|
|
||||||
|
|
||||||
tasks = RedHatTaskNamespace()
|
tasks = RedHatTaskNamespace()
|
||||||
|
@ -214,6 +214,7 @@ class HTTPInstance(service.Service):
|
|||||||
|
|
||||||
def backup_ssl_conf(self):
|
def backup_ssl_conf(self):
|
||||||
self.fstore.backup_file(paths.HTTPD_SSL_CONF)
|
self.fstore.backup_file(paths.HTTPD_SSL_CONF)
|
||||||
|
self.fstore.backup_file(paths.HTTPD_SSL_SITE_CONF)
|
||||||
|
|
||||||
def disable_nss_conf(self):
|
def disable_nss_conf(self):
|
||||||
"""
|
"""
|
||||||
@ -235,12 +236,7 @@ class HTTPInstance(service.Service):
|
|||||||
'+TLSv1 +TLSv1.1 +TLSv1.2', False)
|
'+TLSv1 +TLSv1.1 +TLSv1.2', False)
|
||||||
|
|
||||||
def set_mod_ssl_logdir(self):
|
def set_mod_ssl_logdir(self):
|
||||||
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
tasks.setup_httpd_logging()
|
||||||
'ErrorLog',
|
|
||||||
'logs/error_log', False)
|
|
||||||
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
|
||||||
'TransferLog',
|
|
||||||
'logs/access_log', False)
|
|
||||||
|
|
||||||
def disable_mod_ssl_ocsp(self):
|
def disable_mod_ssl_ocsp(self):
|
||||||
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
|
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
|
||||||
@ -272,14 +268,14 @@ class HTTPInstance(service.Service):
|
|||||||
|
|
||||||
def __add_include(self):
|
def __add_include(self):
|
||||||
"""This should run after __set_mod_nss_port so is already backed up"""
|
"""This should run after __set_mod_nss_port so is already backed up"""
|
||||||
if installutils.update_file(paths.HTTPD_SSL_CONF,
|
if installutils.update_file(paths.HTTPD_SSL_SITE_CONF,
|
||||||
'</VirtualHost>',
|
'</VirtualHost>',
|
||||||
'Include {path}\n'
|
'Include {path}\n'
|
||||||
'</VirtualHost>'.format(
|
'</VirtualHost>'.format(
|
||||||
path=paths.HTTPD_IPA_REWRITE_CONF)
|
path=paths.HTTPD_IPA_REWRITE_CONF)
|
||||||
) != 0:
|
) != 0:
|
||||||
self.print_msg("Adding Include conf.d/ipa-rewrite to "
|
self.print_msg("Adding Include conf.d/ipa-rewrite to "
|
||||||
"%s failed." % paths.HTTPD_SSL_CONF)
|
"%s failed." % paths.HTTPD_SSL_SITE_CONF)
|
||||||
|
|
||||||
def configure_certmonger_renewal_guard(self):
|
def configure_certmonger_renewal_guard(self):
|
||||||
certmonger = services.knownservices.certmonger
|
certmonger = services.knownservices.certmonger
|
||||||
@ -404,10 +400,10 @@ class HTTPInstance(service.Service):
|
|||||||
|
|
||||||
def configure_mod_ssl_certs(self):
|
def configure_mod_ssl_certs(self):
|
||||||
"""Configure the mod_ssl certificate directives"""
|
"""Configure the mod_ssl certificate directives"""
|
||||||
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
|
||||||
'SSLCertificateFile',
|
'SSLCertificateFile',
|
||||||
paths.HTTPD_CERT_FILE, False)
|
paths.HTTPD_CERT_FILE, False)
|
||||||
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
|
||||||
'SSLCertificateKeyFile',
|
'SSLCertificateKeyFile',
|
||||||
paths.HTTPD_KEY_FILE, False)
|
paths.HTTPD_KEY_FILE, False)
|
||||||
installutils.set_directive(
|
installutils.set_directive(
|
||||||
@ -415,7 +411,7 @@ class HTTPInstance(service.Service):
|
|||||||
'SSLPassPhraseDialog',
|
'SSLPassPhraseDialog',
|
||||||
'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
|
'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
|
||||||
False)
|
False)
|
||||||
installutils.set_directive(paths.HTTPD_SSL_CONF,
|
installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
|
||||||
'SSLCACertificateFile',
|
'SSLCACertificateFile',
|
||||||
paths.IPA_CA_CRT, False)
|
paths.IPA_CA_CRT, False)
|
||||||
# set SSLVerifyDepth for external CA installations
|
# set SSLVerifyDepth for external CA installations
|
||||||
@ -512,7 +508,7 @@ class HTTPInstance(service.Service):
|
|||||||
'external-helper', helper)
|
'external-helper', helper)
|
||||||
|
|
||||||
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
|
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
|
||||||
paths.HTTPD_NSS_CONF]:
|
paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]:
|
||||||
try:
|
try:
|
||||||
self.fstore.restore_file(f)
|
self.fstore.restore_file(f)
|
||||||
except ValueError as error:
|
except ValueError as error:
|
||||||
|
@ -148,6 +148,7 @@ class Backup(admintool.AdminTool):
|
|||||||
paths.HTTPD_IPA_PKI_PROXY_CONF,
|
paths.HTTPD_IPA_PKI_PROXY_CONF,
|
||||||
paths.HTTPD_IPA_REWRITE_CONF,
|
paths.HTTPD_IPA_REWRITE_CONF,
|
||||||
paths.HTTPD_SSL_CONF,
|
paths.HTTPD_SSL_CONF,
|
||||||
|
paths.HTTPD_SSL_SITE_CONF,
|
||||||
paths.HTTPD_CERT_FILE,
|
paths.HTTPD_CERT_FILE,
|
||||||
paths.HTTPD_KEY_FILE,
|
paths.HTTPD_KEY_FILE,
|
||||||
paths.HTTPD_IPA_CONF,
|
paths.HTTPD_IPA_CONF,
|
||||||
|
Loading…
Reference in New Issue
Block a user