Commit Graph

177 Commits

Author SHA1 Message Date
Christian Heimes
1b966f708a Use common replication wait timeout of 5min
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.

Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00
Christian Heimes
f1d5ab3a03 Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-15 13:02:53 +02:00
Stanislav Laznicka
f47d86c719 Move config directives handling code
Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
8c0d7bb92f Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Florence Blanc-Renaud
af99032d90 ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).

If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.

https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-28 21:25:47 +02:00
Stanislav Laznicka
392f44a38a
mod_ssl: add SSLVerifyDepth for external CA installs
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-10 10:03:02 +02:00
Christian Heimes
49b4a057f1 Create missing /etc/httpd/alias for ipasession.key
The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.

Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.

See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-07 16:22:10 +02:00
Stanislav Laznicka
47cf159f11 Fix upgrading of FreeIPA HTTPD
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.

This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 09:42:07 +02:00
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Christian Heimes
a6e6e7f5e4 More cleanup after uninstall
Remove more files during ipaserver uninstallation:

* /etc/gssproxy/10-ipa.conf
* /etc/httpd/alias/*.ipasave
* /etc/httpd/conf/password.conf
* /etc/ipa/dnssec/softhsm2.conf
* /etc/systemd/system/httpd.service.d/
* /var/lib/ipa/dnssec/tokens

Fixes: https://pagure.io/freeipa/issue/7183
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-20 10:15:28 +01:00
Christian Heimes
c5fb6c8502 Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
  auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.

The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.

https://pagure.io/freeipa/issue/7354

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
88fd3f9435 certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
75845733f8
Backup ssl.conf when migrating from mod_nss
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
1ca68ea730
httpinstance fixup: remove commented-out lines
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
ee49947b6c
httpinstance: fix publishing of CA cert
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
8ea04ab3e3
httpinstance: verify priv key belongs to certificate
Verify the certificate issued during an installation belongs
to its private key.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
dde62ff883
httpinstance: backup mod_nss conf instead of just removing it
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
0c388d1e8f
service: rename import_ca_certs_* to export_*
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
92d91ed58b
fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
205675239a
httpinstance: handle supplied PKCS#12 files in installation
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
5531c9f26b
Don't backup nss.conf on upgrade with the switch to mod_ssl
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.

We already have a backup of nss.conf from pre-install. Stick with
that.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
4596674481
Enable upgrades from a mod_nss-installed master to mod_ssl
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Florence Blanc-Renaud
87540fe1ef Fix ipa-server-upgrade with server cert tracking
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert

The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.

https://pagure.io/freeipa/issue/7141

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-19 09:34:31 +02:00
Felipe Volpone
0b7d9c5a7b
Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.

https://pagure.io/freeipa/issue/7108

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-30 15:51:39 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Pavel Vomacka
566361e63d Turn off OCSP check
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:33:54 +02:00
Jan Cholasta
ab71cd5a16 httpinstance: wait until the service entry is replicated
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.

This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.

https://pagure.io/freeipa/issue/6867

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:53:27 +02:00
Martin Basti
1a6de32c9e httpd: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Pavel Vomacka
e0b32dac54
Turn on NSSOCSP check in mod_nss conf
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-10 09:08:34 +02:00
Martin Babinsky
68c6a4d4e1 Stop requesting anonymous keytab and purge all references of it
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
b1a1e10439 separate function to set ipaConfigString values on service entry
There is some code duplication regarding setting ipaConfigString values
when:
   * LDAP-enabling a service entry
   * advertising enabled KDCProxy in LDAP

We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Stanislav Laznicka
9ac56e47d7
Fix CA-less to CA-full upgrade
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.

https://pagure.io/freeipa/issue/6853

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:21:46 +02:00
David Kupka
a726e98f03 Create system users for FreeIPA services during package installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 17:51:49 +02:00
Jan Cholasta
ec52332229 dsinstance, httpinstance: consolidate certificate request code
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.

Consolidate the non-promotion and promotion code paths into one.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
8a85586379 httpinstance: avoid httpd restart during certificate request
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.

Stop httpd at the beginning of httpd install to avoid the restart.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
5f5a3b29db httpinstance: make sure NSS database is backed up
The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.

Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-04 08:21:50 +00:00
Stanislav Laznicka
8c87014e19 Get correct CA cert nickname in CA-less
During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it later.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:06:29 +00:00
David Kupka
0128e805e5
httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
Server installation failed when attmpting to disable module 'Root Certs' and
the module was not available in HTTP_ALIAS_DIR. When the module is not
available there's no need to disable it and the error may be treated as
success.

https://pagure.io/freeipa/issue/6803

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-28 17:10:54 +02:00
Jan Cholasta
e263cb46cb httpinstance: clean up /etc/httpd/alias on uninstall
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
Jan Cholasta
f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Florence Blanc-Renaud
d4ad2c98aa Installation must publish CA cert in /usr/share/ipa/html/ca.crt
Regression introduced with commit d124e30.
ipa-server-install and ipa-replica-install must publish the CA cert
in /usr/share/ipa/html/ca.crt, otherwise the web page
http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to
http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing.

https://pagure.io/freeipa/issue/6750

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-13 18:12:38 +01:00
Tomas Krizek
09c6b75780 installer: update time estimates
Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.

https://pagure.io/freeipa/issue/6596

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-10 15:46:34 +01:00