880d21b828
- Allow the admin user to be disabled Resolves: RHEL-34756 - ipa-otptoken-import: open the key file in binary mode Resolves: RHEL-39616 - ipa-crlgen-manage: manage the cert status task execution time Resolves: RHEL-30280 - idrange-add: add a warning because 389ds restart is required Resolves: RHEL-28996 - PKINIT certificate: fix renewal on hidden replica Resolves: RHEL-4913, RHEL-45908 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
115 lines
5.0 KiB
Diff
115 lines
5.0 KiB
Diff
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
index 38693c9..35cec89 100644
|
|
--- a/ipaserver/install/cainstance.py
|
|
+++ b/ipaserver/install/cainstance.py
|
|
@@ -1327,6 +1327,8 @@ class CAInstance(DogtagInstance):
|
|
generation master:
|
|
- in CS.cfg ca.crl.MasterCRL.enableCRLCache=true
|
|
- in CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true
|
|
+ - in CS.cfg ca.listenToCloneModifications=true
|
|
+ - in CS.cfg ca.certStatusUpdateInterval != 0
|
|
- in /etc/httpd/conf.d/ipa-pki-proxy.conf the RewriteRule
|
|
^/ipa/crl/MasterCRL.bin is disabled (commented or removed)
|
|
|
|
@@ -1342,15 +1344,30 @@ class CAInstance(DogtagInstance):
|
|
updates = directivesetter.get_directive(
|
|
self.config, 'ca.crl.MasterCRL.enableCRLUpdates', '=')
|
|
enableCRLUpdates = updates.lower() == 'true'
|
|
+ listen = directivesetter.get_directive(
|
|
+ self.config, 'ca.listenToCloneModifications', '=')
|
|
+ enableToClone = listen.lower() == 'true'
|
|
+ updateinterval = directivesetter.get_directive(
|
|
+ self.config, 'ca.certStatusUpdateInterval', '=')
|
|
|
|
# If the values are different, the config is inconsistent
|
|
- if enableCRLCache != enableCRLUpdates:
|
|
+ if not (enableCRLCache == enableCRLUpdates == enableToClone):
|
|
raise InconsistentCRLGenConfigException(
|
|
"Configuration is inconsistent, please check "
|
|
- "ca.crl.MasterCRL.enableCRLCache and "
|
|
- "ca.crl.MasterCRL.enableCRLUpdates in {} and "
|
|
+ "ca.crl.MasterCRL.enableCRLCache, "
|
|
+ "ca.crl.MasterCRL.enableCRLUpdates and "
|
|
+ "ca.listenToCloneModifications in {} and "
|
|
"run ipa-crlgen-manage [enable|disable] to repair".format(
|
|
self.config))
|
|
+ # If they are the same then we are the CRL renewal master. Ensure
|
|
+ # the update task is configured.
|
|
+ if enableCRLCache and updateinterval == '0':
|
|
+ raise InconsistentCRLGenConfigException(
|
|
+ "Configuration is inconsistent, please check "
|
|
+ "ca.certStatusUpdateInterval in {}. It should "
|
|
+ "be either not present or not zero. Run "
|
|
+ "ipa-crlgen-manage [enable|disable] to repair".format(
|
|
+ self.config))
|
|
except IOError:
|
|
raise RuntimeError(
|
|
"Unable to read {}".format(self.config))
|
|
@@ -1407,6 +1424,11 @@ class CAInstance(DogtagInstance):
|
|
str_value = str(setup_crlgen).lower()
|
|
ds.set('ca.crl.MasterCRL.enableCRLCache', str_value)
|
|
ds.set('ca.crl.MasterCRL.enableCRLUpdates', str_value)
|
|
+ ds.set('ca.listenToCloneModifications', str_value)
|
|
+ if setup_crlgen:
|
|
+ ds.set('ca.certStatusUpdateInterval', None)
|
|
+ else:
|
|
+ ds.set('ca.certStatusUpdateInterval', '0')
|
|
|
|
# Start pki-tomcat
|
|
logger.info("Starting %s", self.service_name)
|
|
diff --git a/ipatests/test_integration/test_crlgen_manage.py b/ipatests/test_integration/test_crlgen_manage.py
|
|
index 2a733bd..c6f41eb 100644
|
|
--- a/ipatests/test_integration/test_crlgen_manage.py
|
|
+++ b/ipatests/test_integration/test_crlgen_manage.py
|
|
@@ -61,6 +61,16 @@ def check_crlgen_status(host, rc=0, msg=None, enabled=True, check_crl=False):
|
|
ext.value.crl_number)
|
|
assert number_msg in result.stdout_text
|
|
|
|
+ try:
|
|
+ value = get_CS_cfg_value(host, 'ca.certStatusUpdateInterval')
|
|
+ except IOError:
|
|
+ return
|
|
+
|
|
+ if enabled:
|
|
+ assert value is None
|
|
+ else:
|
|
+ assert value == '0'
|
|
+
|
|
|
|
def check_crlgen_enable(host, rc=0, msg=None, check_crl=False):
|
|
"""Check ipa-crlgen-manage enable command
|
|
@@ -125,6 +135,23 @@ def break_crlgen_with_CS_cfg(host):
|
|
check_crlgen_status(host, rc=1, msg="Configuration is inconsistent")
|
|
|
|
|
|
+def get_CS_cfg_value(host, directive):
|
|
+ """Retrieve and return the a directive from the CA CS.cfg
|
|
+
|
|
+ This returns None if the directives is not found.
|
|
+ """
|
|
+ content = host.get_file_contents(paths.CA_CS_CFG_PATH,
|
|
+ encoding='utf-8')
|
|
+ value = None
|
|
+ for line in content.split('\n'):
|
|
+ l = line.lower()
|
|
+
|
|
+ if l.startswith(directive.lower()):
|
|
+ value = line.split('=', 1)[1]
|
|
+
|
|
+ return value
|
|
+
|
|
+
|
|
class TestCRLGenManage(IntegrationTest):
|
|
"""Tests the ipa-crlgen-manage command.
|
|
|
|
@@ -196,6 +223,9 @@ class TestCRLGenManage(IntegrationTest):
|
|
|
|
Install a CA clone and enable CRLgen"""
|
|
tasks.install_ca(self.replicas[0])
|
|
+ value = get_CS_cfg_value(self.replicas[0],
|
|
+ 'ca.certStatusUpdateInterval')
|
|
+ assert value == '0'
|
|
check_crlgen_enable(
|
|
self.replicas[0], rc=0,
|
|
msg="make sure to have only a single CRL generation master",
|