Set renewal time for the CA audit certificate to 720 days.

The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951
This commit is contained in:
Rob Crittenden 2012-10-09 11:25:27 -04:00 committed by Martin Kosek
parent 96decfea26
commit eb79f5c955
2 changed files with 47 additions and 7 deletions

View File

@ -211,14 +211,15 @@ def upgrade_pki(fstore):
This requires enabling SSL renegotiation.
"""
configured_constants = dogtag.configured_constants()
root_logger.info('[Verifying that CA proxy configuration is correct]')
if not os.path.exists('/etc/pki-ca/CS.cfg'):
if not os.path.exists(configured_constants.CS_CFG_PATH):
root_logger.debug('No CA detected in /etc/pki-ca')
return
http = httpinstance.HTTPInstance(fstore)
http.enable_mod_nss_renegotiate()
if not installutils.get_directive('/etc/pki-ca/CS.cfg',
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists('/usr/bin/pki-setup-proxy'):
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@ -285,17 +286,24 @@ def cleanup_kdc(fstore):
def upgrade_ipa_profile(ca):
"""
Update the IPA Profile provided by dogtag
Returns True if restart is needed, False otherwise.
"""
root_logger.info('[Verifying that CA service certificate profile is updated]')
if ca.is_configured():
if ca.enable_subject_key_identifier():
root_logger.debug('Subject Key Identifier updated, restarting CA')
ca.restart()
ski = ca.enable_subject_key_identifier()
if ski:
root_logger.debug('Subject Key Identifier updated.')
else:
root_logger.debug('Subject Key Identifier already set.')
audit = ca.set_audit_renewal()
if audit or ski:
return True
else:
root_logger.debug('CA is not configured')
return False
def upgrade_httpd_selinux(fstore):
"""
Update SElinux configuration for httpd instance in the same way as the
@ -609,14 +617,13 @@ def main():
pass
cleanup_kdc(fstore)
upgrade_ipa_profile(ca)
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bindinstance.BindInstance(fstore).restart()
ca_restart = ca_restart or enable_certificate_renewal(ca)
ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
if ca_restart:
root_logger.info('pki-ca configuration changed, restart pki-ca')

View File

@ -562,6 +562,7 @@ class CAInstance(service.Service):
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("set certificate subject base", self.__set_subject_in_config)
self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
self.step("restarting certificate server", self.__restart_instance)
@ -1420,6 +1421,38 @@ class CAInstance(service.Service):
# No update was done
return False
def set_audit_renewal(self):
"""
The default renewal time for the audit signing certificate is
six months rather than two years. Fix it. This is BZ 843979.
"""
# Check the default validity period of the audit signing cert
# and set it to 2 years if it is 6 months.
range = installutils.get_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
'policyset.caLogSigningSet.2.default.params.range',
separator='='
)
root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
if range == "180":
installutils.set_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
'policyset.caLogSigningSet.2.default.params.range',
'720',
quotes=False,
separator='='
)
installutils.set_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
'policyset.caLogSigningSet.2.constraint.params.range',
'720',
quotes=False,
separator='='
)
root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
return True
return False
def is_master(self):
"""
There are some tasks that are only done on a single dogtag master.