[Freeipa-devel] Upgrading due to proxy changes

[Rob Crittenden]

Adam Young wrote:
> Upgrading from a system that had an earlier version of IPA to the
> current is broken right now, due to the fact that the new code expects
> to talk to the Certificate Authority (CA) via the proxy ports (80, 443),
> and the old code used non standard ports (above 8000).
>
>
> IPA needs to make two changes during upgrade. I'm trying to figure out
> the right place to make them.
>
> The first change is to /etc/httpd/conf.d/nss.conf. The function to make
> the change during install is:
>
> ipaserver/install/httpinstance.py self.__enable_mod_nss_renegotiate
>
> which just makes these two method calls.
>
>
> installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
> installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation',
> 'on',False)
>
>
> Seems to me that they should be added to
> install/tools/ipa-upgradeconfig, possibly the main, or a function called
> from it. Should I move the call enable_mod_nss_renegotiate into
> installutils and call it from both places instead of having it in
> httpinstance?

You can create an HTTPInstance object and just call them directly, that 
is probably best.
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
     http = httpinstance.HTTPInstance(fstore)
     http.enable_mod_nss_renegotiate()

You'll need to make the method public, drop the __.

> The other change is a little trickier. If the PKI server has not yet had
> the proxy enabled, we need to run the script pki-setup-proxy. To test if
> we should call that script, Ade and I have agreed that the best way is
> to test in CS.conf for changes made: The values
> proxy.securePort and proxy.unsecurePort should be set. Is there an
> appropriate tool for making this check? someting from installutils? I'm
> guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?

I guess I'd have preferred that the upgrade script be robust enough to 
be run any time. Given the circumstances this looks ok.

rob