[Freeipa-devel] Upgrading due to proxy changes
Adam Young
adam at younglogic.com
Thu Oct 6 01:09:50 UTC 2011
Upgrading from a system that had an earlier version of IPA to the
current is broken right now, due to the fact that the new code expects
to talk to the Certificate Authority (CA) via the proxy ports (80,
443), and the old code used non standard ports (above 8000).
IPA needs to make two changes during upgrade. I'm trying to figure out
the right place to make them.
The first change is to /etc/httpd/conf.d/nss.conf. The function to
make the change during install is:
ipaserver/install/httpinstance.py self.__enable_mod_nss_renegotiate
which just makes these two method calls.
installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation',
'on',False)
Seems to me that they should be added to
install/tools/ipa-upgradeconfig, possibly the main, or a function called
from it. Should I move the call enable_mod_nss_renegotiate into
installutils and call it from both places instead of having it in
httpinstance?
The other change is a little trickier. If the PKI server has not yet
had the proxy enabled, we need to run the script pki-setup-proxy. To
test if we should call that script, Ade and I have agreed that the best
way is to test in CS.conf for changes made: The values
proxy.securePort and proxy.unsecurePort should be set. Is there an
appropriate tool for making this check? someting from installutils?
I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?
More information about the Freeipa-devel
mailing list