Upgrade: configure local/full PKINIT depending on the master status

The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2024-12-26 00:41:25 -06:00 · 2017-04-06 18:52:05 +02:00 · 2017-04-06 18:52:05 +02:00 · a194055c92
commit a194055c92
parent 2374b648d0
1 changed files with 9 additions and 6 deletions
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1485,14 +1485,17 @@ def add_default_caacl(ca):
 def setup_pkinit(krb):
    root_logger.info("[Setup PKINIT]")

-    if not api.Command.ca_is_enabled()['result']:
-        root_logger.info("CA is not enabled")
-        return
+    pkinit_is_enabled = krbinstance.is_pkinit_enabled()
+    ca_is_enabled = api.Command.ca_is_enabled()['result']

-    if not os.path.exists(paths.KDC_CERT):
-        root_logger.info("Requesting PKINIT certificate")
-        krb.setup_pkinit()
+    if not pkinit_is_enabled:
+        if ca_is_enabled:
+            krb.issue_ipa_ca_signed_pkinit_certs()
+        else:
+            krb.issue_selfsigned_pkinit_certs()

+    # reconfigure KDC just in case in order to handle potentially broken
+    # 4.5.0 -> 4.5.1 upgrade path
    replacevars = dict()
    replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
        paths.KDC_CERT,paths.KDC_KEY)