IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Request PKINIT cert directly from Dogtag API on first master

Browse Source 
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Martin Babinsky 2017-03-14 13:16:07 +01:00 committed by Martin Basti
parent 95768de06f
commit b5b23e073e
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ipaserver/install/krbinstance.py
View File

@ -68,6 +68,7 @@ class KrbInstance(service.Service):
self.kdc_password = None
self.sub_dict = None
self.pkcs12_info = None
self.master_fqdn = None
suffix = ipautil.dn_attribute_property('_suffix')
subject_base = ipautil.dn_attribute_property('_subject_base')
@ -359,6 +360,18 @@ class KrbInstance(service.Service):
certpath = (paths.KDC_CERT, paths.KDC_KEY)
try:
prev_helper = None
if self.master_fqdn is None:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
certmonger.request_and_wait_for_cert(
certpath,
subject,
@ -372,6 +385,9 @@ class KrbInstance(service.Service):
if name != 'org.fedorahosted.certmonger.duplicate':
root_logger.error("Failed to initiate the request: %s", e)
return
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context