mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
dsinstance, httpinstance: consolidate certificate request code
A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
8a85586379
commit
ec52332229
@ -396,10 +396,7 @@ class DsInstance(service.Service):
|
||||
|
||||
self.step("creating DS keytab", self.request_service_keytab)
|
||||
if self.promote:
|
||||
if self.pkcs12_info:
|
||||
self.step("configuring TLS for DS instance", self.__enable_ssl)
|
||||
else:
|
||||
self.step("retrieving DS Certificate", self.__get_ds_cert)
|
||||
self.step("configuring TLS for DS instance", self.__enable_ssl)
|
||||
self.step("restarting directory server", self.__restart_instance)
|
||||
|
||||
self.step("setting up initial replication", self.__setup_replica)
|
||||
@ -810,18 +807,23 @@ class DsInstance(service.Service):
|
||||
dsdb.track_server_cert(
|
||||
self.nickname, self.principal, dsdb.passwd_fname,
|
||||
'restart_dirsrv %s' % self.serverid)
|
||||
|
||||
self.add_cert_to_service()
|
||||
else:
|
||||
dsdb.create_from_cacert()
|
||||
ca_args = [
|
||||
paths.CERTMONGER_DOGTAG_SUBMIT,
|
||||
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
|
||||
'--certfile', paths.RA_AGENT_PEM,
|
||||
'--keyfile', paths.RA_AGENT_KEY,
|
||||
'--cafile', paths.IPA_CA_CRT,
|
||||
'--agent-submit'
|
||||
]
|
||||
helper = " ".join(ca_args)
|
||||
prev_helper = certmonger.modify_ca_helper('IPA', helper)
|
||||
if self.master_fqdn is None:
|
||||
ca_args = [
|
||||
paths.CERTMONGER_DOGTAG_SUBMIT,
|
||||
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
|
||||
'--certfile', paths.RA_AGENT_PEM,
|
||||
'--keyfile', paths.RA_AGENT_KEY,
|
||||
'--cafile', paths.IPA_CA_CRT,
|
||||
'--agent-submit'
|
||||
]
|
||||
helper = " ".join(ca_args)
|
||||
prev_helper = certmonger.modify_ca_helper('IPA', helper)
|
||||
else:
|
||||
prev_helper = None
|
||||
try:
|
||||
cmd = 'restart_dirsrv %s' % self.serverid
|
||||
certmonger.request_and_wait_for_cert(
|
||||
@ -835,7 +837,8 @@ class DsInstance(service.Service):
|
||||
dns=[self.fqdn],
|
||||
post_command=cmd)
|
||||
finally:
|
||||
certmonger.modify_ca_helper('IPA', prev_helper)
|
||||
if prev_helper is not None:
|
||||
certmonger.modify_ca_helper('IPA', prev_helper)
|
||||
|
||||
# restart_dirsrv in the request above restarts DS, reconnect ldap2
|
||||
api.Backend.ldap2.disconnect()
|
||||
@ -843,6 +846,9 @@ class DsInstance(service.Service):
|
||||
|
||||
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
|
||||
|
||||
if prev_helper is not None:
|
||||
self.add_cert_to_service()
|
||||
|
||||
dsdb.create_pin_file()
|
||||
|
||||
self.cacert_name = dsdb.cacert_name
|
||||
@ -1236,46 +1242,6 @@ class DsInstance(service.Service):
|
||||
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
|
||||
replacevars=vardict)
|
||||
|
||||
def __get_ds_cert(self):
|
||||
nssdb_dir = config_dirname(self.serverid)
|
||||
db = certs.CertDB(
|
||||
self.realm,
|
||||
nssdir=nssdb_dir,
|
||||
subject_base=self.subject_base,
|
||||
ca_subject=self.ca_subject,
|
||||
)
|
||||
db.create_from_cacert()
|
||||
db.request_service_cert(self.nickname, self.principal, self.fqdn)
|
||||
db.create_pin_file()
|
||||
|
||||
# Connect to self over ldapi as Directory Manager and configure SSL
|
||||
ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm)
|
||||
conn = ipaldap.LDAPClient(ldap_uri)
|
||||
conn.external_bind()
|
||||
|
||||
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
|
||||
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
|
||||
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
|
||||
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
|
||||
|
||||
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
|
||||
conn.modify_s(DN(('cn', 'config')), mod)
|
||||
|
||||
entry = conn.make_entry(
|
||||
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
|
||||
objectclass=["top", "nsEncryptionModule"],
|
||||
cn=["RSA"],
|
||||
nsSSLPersonalitySSL=[self.nickname],
|
||||
nsSSLToken=["internal (software)"],
|
||||
nsSSLActivation=["on"],
|
||||
)
|
||||
conn.add_entry(entry)
|
||||
|
||||
conn.unbind()
|
||||
|
||||
# check for open secure port 636 from now on
|
||||
self.open_ports.append(636)
|
||||
|
||||
|
||||
def write_certmap_conf(realm, ca_subject):
|
||||
"""(Re)write certmap.conf with given CA subject DN."""
|
||||
|
@ -376,12 +376,12 @@ class HTTPInstance(service.Service):
|
||||
return False
|
||||
|
||||
def __setup_ssl(self):
|
||||
truncate = not self.promote or not self.ca_is_configured
|
||||
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
|
||||
subject_base=self.subject_base, user="root",
|
||||
group=constants.HTTPD_GROUP,
|
||||
truncate=truncate)
|
||||
truncate=True)
|
||||
self.disable_system_trust()
|
||||
self.create_password_conf()
|
||||
if self.pkcs12_info:
|
||||
if self.ca_is_configured:
|
||||
trust_flags = 'CT,C,C'
|
||||
@ -394,8 +394,6 @@ class HTTPInstance(service.Service):
|
||||
if len(server_certs) == 0:
|
||||
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
|
||||
|
||||
self.create_password_conf()
|
||||
|
||||
# We only handle one server cert
|
||||
nickname = server_certs[0][0]
|
||||
if nickname == 'ipaCert':
|
||||
@ -410,7 +408,6 @@ class HTTPInstance(service.Service):
|
||||
|
||||
else:
|
||||
if not self.promote:
|
||||
self.create_password_conf()
|
||||
ca_args = [
|
||||
paths.CERTMONGER_DOGTAG_SUBMIT,
|
||||
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
|
||||
@ -421,23 +418,26 @@ class HTTPInstance(service.Service):
|
||||
]
|
||||
helper = " ".join(ca_args)
|
||||
prev_helper = certmonger.modify_ca_helper('IPA', helper)
|
||||
|
||||
try:
|
||||
certmonger.request_and_wait_for_cert(
|
||||
certpath=db.secdir,
|
||||
nickname=self.cert_nickname,
|
||||
principal=self.principal,
|
||||
passwd_fname=db.passwd_fname,
|
||||
subject=str(DN(('CN', self.fqdn), self.subject_base)),
|
||||
ca='IPA',
|
||||
profile=dogtag.DEFAULT_PROFILE,
|
||||
dns=[self.fqdn],
|
||||
post_command='restart_httpd')
|
||||
self.dercert = db.get_cert_from_db(
|
||||
self.cert_nickname, pem=False)
|
||||
finally:
|
||||
else:
|
||||
prev_helper = None
|
||||
try:
|
||||
certmonger.request_and_wait_for_cert(
|
||||
certpath=db.secdir,
|
||||
nickname=self.cert_nickname,
|
||||
principal=self.principal,
|
||||
passwd_fname=db.passwd_fname,
|
||||
subject=str(DN(('CN', self.fqdn), self.subject_base)),
|
||||
ca='IPA',
|
||||
profile=dogtag.DEFAULT_PROFILE,
|
||||
dns=[self.fqdn],
|
||||
post_command='restart_httpd')
|
||||
finally:
|
||||
if prev_helper is not None:
|
||||
certmonger.modify_ca_helper('IPA', prev_helper)
|
||||
|
||||
self.dercert = db.get_cert_from_db(self.cert_nickname, pem=False)
|
||||
|
||||
if prev_helper is not None:
|
||||
self.add_cert_to_service()
|
||||
|
||||
# Verify we have a valid server cert
|
||||
|
@ -807,10 +807,6 @@ def install(installer):
|
||||
if setup_ca:
|
||||
ca.install_step_1(False, None, options)
|
||||
|
||||
# The DS instance is created before the keytab, add the SSL cert we
|
||||
# generated
|
||||
ds.add_cert_to_service()
|
||||
|
||||
otpd = otpdinstance.OtpdInstance()
|
||||
otpd.create_instance('OTPD', host_name,
|
||||
ipautil.realm_to_suffix(realm_name))
|
||||
|
@ -27,7 +27,6 @@ from ipapython.dn import DN
|
||||
from ipapython.ipa_log_manager import root_logger
|
||||
from ipapython.admintool import ScriptError
|
||||
from ipaplatform import services
|
||||
from ipaplatform.constants import constants as pconstants
|
||||
from ipaplatform.tasks import tasks
|
||||
from ipaplatform.paths import paths
|
||||
from ipalib import api, constants, create_api, errors, rpc, x509
|
||||
@ -77,18 +76,6 @@ def make_pkcs12_info(directory, cert_name, password_name):
|
||||
return None
|
||||
|
||||
|
||||
def install_http_certs(host_name, realm_name, subject_base):
|
||||
principal = 'HTTP/%s@%s' % (host_name, realm_name)
|
||||
subject = subject_base or DN(('O', realm_name))
|
||||
db = certs.CertDB(realm_name, nssdir=paths.HTTPD_ALIAS_DIR,
|
||||
subject_base=subject, user="root",
|
||||
group=pconstants.HTTPD_GROUP, truncate=True)
|
||||
db.request_service_cert('Server-Cert', principal, host_name)
|
||||
# Obtain certificate for the HTTP service
|
||||
http = httpinstance.HTTPInstance()
|
||||
http.create_password_conf()
|
||||
|
||||
|
||||
def install_replica_ds(config, options, ca_is_configured, remote_api,
|
||||
ca_file, promote=False, pkcs12_info=None):
|
||||
dsinstance.check_ports()
|
||||
@ -175,7 +162,8 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
|
||||
http.create_instance(
|
||||
config.realm_name, config.host_name, config.domain_name,
|
||||
pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
|
||||
ca_is_configured=ca_is_configured, promote=promote)
|
||||
ca_is_configured=ca_is_configured, promote=promote,
|
||||
subject_base=config.subject_base)
|
||||
|
||||
return http
|
||||
|
||||
@ -1414,12 +1402,6 @@ def install(installer):
|
||||
# Always try to install DNS records
|
||||
install_dns_records(config, options, remote_api)
|
||||
|
||||
if promote and ca_enabled:
|
||||
# we need to install http certs to setup ssl for httpd
|
||||
install_http_certs(config.host_name,
|
||||
config.realm_name,
|
||||
config.subject_base)
|
||||
|
||||
ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
|
||||
remote_api.env.realm)
|
||||
finally:
|
||||
|
Loading…
Reference in New Issue
Block a user