[Freeipa-devel] Upgrading due to proxy changes

[Adam Young]

Upgrading  from a system that had an earlier version of IPA to the 
current is broken right now, due to the fact that the new code expects 
to talk to the Certificate Authority (CA)  via the proxy ports (80, 
443), and the old code used non standard ports (above 8000).


IPA needs to make two changes during upgrade.  I'm trying to figure out 
the right place to make them.

The first change is to  /etc/httpd/conf.d/nss.conf.  The function to 
make the change during install is:

  ipaserver/install/httpinstance.py     self.__enable_mod_nss_renegotiate

which just makes these two method calls.


installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 
'on',False)


Seems to me that they should be added to 
install/tools/ipa-upgradeconfig, possibly the main, or a function called 
from it.  Should I move the call  enable_mod_nss_renegotiate  into 
installutils and call it from both places instead of having it in 
httpinstance?


The other change is a little trickier.  If the PKI server has not yet 
had the proxy enabled,  we need to run the script pki-setup-proxy.  To 
test if we should call that script, Ade and I have agreed that the best 
way is to test in CS.conf  for changes made:  The values
proxy.securePort and proxy.unsecurePort should be set.  Is there an 
appropriate tool for making this check?  someting from installutils?  
I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?