mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
This commit is contained in:
parent
96decfea26
commit
eb79f5c955
@ -211,14 +211,15 @@ def upgrade_pki(fstore):
|
||||
|
||||
This requires enabling SSL renegotiation.
|
||||
"""
|
||||
configured_constants = dogtag.configured_constants()
|
||||
root_logger.info('[Verifying that CA proxy configuration is correct]')
|
||||
if not os.path.exists('/etc/pki-ca/CS.cfg'):
|
||||
if not os.path.exists(configured_constants.CS_CFG_PATH):
|
||||
root_logger.debug('No CA detected in /etc/pki-ca')
|
||||
return
|
||||
|
||||
http = httpinstance.HTTPInstance(fstore)
|
||||
http.enable_mod_nss_renegotiate()
|
||||
if not installutils.get_directive('/etc/pki-ca/CS.cfg',
|
||||
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
|
||||
'proxy.securePort', '=') and \
|
||||
os.path.exists('/usr/bin/pki-setup-proxy'):
|
||||
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
|
||||
@ -285,17 +286,24 @@ def cleanup_kdc(fstore):
|
||||
def upgrade_ipa_profile(ca):
|
||||
"""
|
||||
Update the IPA Profile provided by dogtag
|
||||
|
||||
Returns True if restart is needed, False otherwise.
|
||||
"""
|
||||
root_logger.info('[Verifying that CA service certificate profile is updated]')
|
||||
if ca.is_configured():
|
||||
if ca.enable_subject_key_identifier():
|
||||
root_logger.debug('Subject Key Identifier updated, restarting CA')
|
||||
ca.restart()
|
||||
ski = ca.enable_subject_key_identifier()
|
||||
if ski:
|
||||
root_logger.debug('Subject Key Identifier updated.')
|
||||
else:
|
||||
root_logger.debug('Subject Key Identifier already set.')
|
||||
audit = ca.set_audit_renewal()
|
||||
if audit or ski:
|
||||
return True
|
||||
else:
|
||||
root_logger.debug('CA is not configured')
|
||||
|
||||
return False
|
||||
|
||||
def upgrade_httpd_selinux(fstore):
|
||||
"""
|
||||
Update SElinux configuration for httpd instance in the same way as the
|
||||
@ -609,14 +617,13 @@ def main():
|
||||
pass
|
||||
|
||||
cleanup_kdc(fstore)
|
||||
upgrade_ipa_profile(ca)
|
||||
changed_psearch = named_enable_psearch()
|
||||
changed_autoincrement = named_enable_serial_autoincrement()
|
||||
if changed_psearch or changed_autoincrement:
|
||||
# configuration has changed, restart the name server
|
||||
root_logger.info('Changes to named.conf have been made, restart named')
|
||||
bindinstance.BindInstance(fstore).restart()
|
||||
ca_restart = ca_restart or enable_certificate_renewal(ca)
|
||||
ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
|
||||
|
||||
if ca_restart:
|
||||
root_logger.info('pki-ca configuration changed, restart pki-ca')
|
||||
|
@ -562,6 +562,7 @@ class CAInstance(service.Service):
|
||||
self.step("set up CRL publishing", self.__enable_crl_publish)
|
||||
self.step("set certificate subject base", self.__set_subject_in_config)
|
||||
self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
|
||||
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
|
||||
self.step("configuring certificate server to start on boot", self.__enable)
|
||||
if not self.clone:
|
||||
self.step("restarting certificate server", self.__restart_instance)
|
||||
@ -1420,6 +1421,38 @@ class CAInstance(service.Service):
|
||||
# No update was done
|
||||
return False
|
||||
|
||||
def set_audit_renewal(self):
|
||||
"""
|
||||
The default renewal time for the audit signing certificate is
|
||||
six months rather than two years. Fix it. This is BZ 843979.
|
||||
"""
|
||||
# Check the default validity period of the audit signing cert
|
||||
# and set it to 2 years if it is 6 months.
|
||||
range = installutils.get_directive(
|
||||
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
||||
'policyset.caLogSigningSet.2.default.params.range',
|
||||
separator='='
|
||||
)
|
||||
root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
|
||||
if range == "180":
|
||||
installutils.set_directive(
|
||||
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
||||
'policyset.caLogSigningSet.2.default.params.range',
|
||||
'720',
|
||||
quotes=False,
|
||||
separator='='
|
||||
)
|
||||
installutils.set_directive(
|
||||
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
||||
'policyset.caLogSigningSet.2.constraint.params.range',
|
||||
'720',
|
||||
quotes=False,
|
||||
separator='='
|
||||
)
|
||||
root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
|
||||
return True
|
||||
return False
|
||||
|
||||
def is_master(self):
|
||||
"""
|
||||
There are some tasks that are only done on a single dogtag master.
|
||||
|
Loading…
Reference in New Issue
Block a user