freeipa/ipaclient
Fraser Tweedale 53d472b490 certupdate: update config after deployment becomes CA-ful
When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate.  Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.

The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s).  So by using ipa-certupdate
we avoid introducing additional steps for administrators.

It is necessary to choose a CA master to use as the ca_host.  We use
the first server returned by LDAP.  A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.

Finally, defer the httpd service restart until after the possible
update of default.conf so that the IPA API executes with the new
configuration.

This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.

HOW TO TEST:

1. Install a CA-less server (first server).

2. Install a CA-less replica.

3. Run 'ipa-ca-install' on first server, promoting deployment from
   CA-less to CA-ful.

4. Run 'ipa-certupdate' on second server.

5. Exceute 'ipa cert-show 5' on second server.  Should succeed,
   because ra-agent credential was retrieved and default.conf
   updated at step #4.

Fixes: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-16 15:30:53 +10:00
..
csrgen csrgen: Change to pure openssl config format (no script) 2017-04-03 07:46:30 +00:00
install certupdate: update config after deployment becomes CA-ful 2020-07-16 15:30:53 +10:00
plugins Fix otptoken_sync plugin 2019-11-28 16:09:07 +01:00
remote_plugins Fix typo in idrange.py docstring 2020-02-14 09:48:50 +02:00
__init__.py Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) 2016-01-27 12:09:02 +01:00
__main__.py Use entry_points for ipa CLI 2017-04-11 13:29:50 +02:00
csrgen_ffi.py Fix build_requestinfo in LibreSSL environments 2019-05-14 15:58:40 +02:00
csrgen.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
discovery.py Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
frontend.py Show group-add/remove-member-manager failures 2019-11-20 17:08:40 +01:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Make python-ldap optional for PyPI packages 2019-04-26 12:53:23 +02:00