mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
53d472b490
When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. Finally, defer the httpd service restart until after the possible update of default.conf so that the IPA API executes with the new configuration. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieved and default.conf updated at step #4. Fixes: https://pagure.io/freeipa/issue/7188 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> |
||
---|---|---|
.. | ||
csrgen | ||
install | ||
plugins | ||
remote_plugins | ||
__init__.py | ||
__main__.py | ||
csrgen_ffi.py | ||
csrgen.py | ||
discovery.py | ||
frontend.py | ||
Makefile.am | ||
setup.cfg | ||
setup.py |