[Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes
Fraser Tweedale
ftweedal at redhat.com
Fri Jun 5 09:47:57 UTC 2015
Patches 16 and 17 fix regressions in the default profile.
Patch 18 fixes the `ipa-replica-install --setup-ca' breakage.
Cheers,
Fraser
-------------- next part --------------
From bc2b1d729c50dc1ae88a5e5709f655ea2f5ecd66 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 4 Jun 2015 22:49:01 -0400
Subject: [PATCH 16/18] Fix certificate subject base
Profile management patches introduced a regression where a custom
certificate subject base (if configured) is not used in the default
profile. Use the configured subject base.
Part of: https://fedorahosted.org/freeipa/ticket/4002
---
ipaserver/install/cainstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ca0b6df5db80bc842a78f614872831ddd82330b1..42225c28c8201bbae8ac0e46f7791a7f6ed3d158 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1665,7 +1665,7 @@ def import_included_profiles():
DOMAIN=ipautil.format_netloc(api.env.domain),
IPA_CA_RECORD=IPA_CA_RECORD,
CRL_ISSUER='CN=Certificate Authority,o=ipaca',
- SUBJECT_DN_O=str(DN(('O', api.env.realm))),
+ SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
)
server_id = installutils.realm_to_serverid(api.env.realm)
--
2.1.0
-------------- next part --------------
From dcf1531b109a0ebacb060be4b443df013957c56e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 5 Jun 2015 02:57:48 -0400
Subject: [PATCH 17/18] Import profiles earlier during install
Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4002
---
ipaserver/install/cainstance.py | 5 +++++
ipaserver/install/server/install.py | 3 ---
ipaserver/plugins/dogtag.py | 10 +++++++---
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -473,6 +473,9 @@ class CAInstance(DogtagInstance):
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
+ if not self.clone:
+ self.step("restarting certificate server", self.restart_instance)
+ self.step("Importing IPA certificate profiles", import_included_profiles)
self.start_creation(runtime=210)
@@ -1694,6 +1697,7 @@ def import_included_profiles():
)
conn.add_entry(entry)
api.Backend.ra_certprofile._read_password()
+ api.Backend.ra_certprofile.override_port = 8443
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@@ -1715,6 +1719,7 @@ def import_included_profiles():
except errors.RemoteRetrieveError:
pass
+ api.Backend.ra_certprofile.override_port = None
root_logger.info("Imported profile '%s'", profile_id)
conn.disconnect()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -906,9 +906,6 @@ def install(options):
service.print_msg("Restarting the certificate server")
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
- service.print_msg("Importing certificate profiles")
- cainstance.import_included_profiles()
-
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
dns.install(False, False, options)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e6668bb43b994863a14fdd347635753422ed9388..4b9d82a84e387758113066163c8346db69a734e1 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1973,6 +1973,7 @@ class RestClient(Backend):
super(RestClient, self).__init__()
# session cookie
+ self.override_port = None
self.cookie = None
def _read_password(self):
@@ -2007,7 +2008,8 @@ class RestClient(Backend):
if self.cookie is not None:
return
status, status_text, resp_headers, resp_body = dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login',
+ self,ca_host, self.override_port or self.env.ca_agent_port,
+ '/ca/rest/account/login',
self.sec_dir, self.password, self.ipa_certificate_nickname,
method='GET'
)
@@ -2020,7 +2022,8 @@ class RestClient(Backend):
def __exit__(self, exc_type, exc_value, traceback):
"""Log out of the REST API"""
dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout',
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ '/ca/rest/account/logout',
self.sec_dir, self.password, self.ipa_certificate_nickname,
method='GET'
)
@@ -2046,7 +2049,8 @@ class RestClient(Backend):
# perform main request
status, status_text, resp_headers, resp_body = dogtag.https_request(
- self.ca_host, self.env.ca_agent_port, resource,
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ resource,
self.sec_dir, self.password, self.ipa_certificate_nickname,
method=method, headers=headers, body=body
)
--
2.1.0
-------------- next part --------------
From 166a55dddf89235799f2a19c5a709dc92a8a9ce7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 5 Jun 2015 05:02:58 -0400
Subject: [PATCH 18/18] ipa-pki-proxy: allow certificate and password
authentication
ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.
Set NSSVerifyClient optional to allow both certificate and password
authentication to work.
---
install/conf/ipa-pki-proxy.conf | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 366ca15a1868758547f9f1d3334fddba38793083..354b340f0a57d3424c3c13fd4054ed71080552fe 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -27,9 +27,16 @@ ProxyRequests Off
</LocationMatch>
# matches for REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/profiles">
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
- NSSVerifyClient require
+ NSSVerifyClient optional
+ ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+ ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+<LocationMatch "^/ca/rest/profiles">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
--
2.1.0
More information about the Freeipa-devel
mailing list