internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-14 13:32:10 +00:00
Code Issues Projects Releases Wiki Activity

library/ipaserver_setup_ca: Use x509 IPA upstream code for pkcs12 files

Browse Source 
With the encoded _http_ca_cert from ipaserver_test it is possible to revert
back to the IPA upstream code to write the pkcs12 http certificates.

The passed _http_ca_cert only needs to be decoded with decode_certificate.
This commit is contained in:
Thomas Woerner
2020-06-03 12:49:44 +02:00
parent 8e6d433df8
commit 09fefbb2d4
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
roles/ipaserver/library/ipaserver_setup_ca.py
View File

@@ -163,7 +163,7 @@ from ansible.module_utils.ansible_ipa_server import (
AnsibleModuleLog, setup_logging, options, sysrestore, paths, AnsibleModuleLog, setup_logging, options, sysrestore, paths,
ansible_module_get_parsed_ip_addresses, ansible_module_get_parsed_ip_addresses,
api_Backend_ldap2, redirect_stdout, ca, installutils, ds_init_info, api_Backend_ldap2, redirect_stdout, ca, installutils, ds_init_info,
custodiainstance, write_cache, x509 custodiainstance, write_cache, x509, decode_certificate
) )
@@ -265,8 +265,8 @@ def main():
# additional # additional
options.domainlevel = ansible_module.params.get('domainlevel') options.domainlevel = ansible_module.params.get('domainlevel')
options._http_ca_cert = ansible_module.params.get('_http_ca_cert') options._http_ca_cert = ansible_module.params.get('_http_ca_cert')
# tions._update_hosts_file = ansible_module.params.get( if options._http_ca_cert is not None:
# 'update_hosts_file') options._http_ca_cert = decode_certificate(options._http_ca_cert)
# init ################################################################# # init #################################################################
@@ -322,20 +322,18 @@ def main():
csr_generated=True) csr_generated=True)
else: else:
# Put the CA cert where other instances expect it # Put the CA cert where other instances expect it
with open(paths.IPA_CA_CRT, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
http_ca_cert_file.write(options._http_ca_cert)
os.chmod(paths.IPA_CA_CRT, 0o444) os.chmod(paths.IPA_CA_CRT, 0o444)
if not options.no_pkinit: if not options.no_pkinit:
with open(paths.KDC_CA_BUNDLE_PEM, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert,
http_ca_cert_file.write(options._http_ca_cert) paths.KDC_CA_BUNDLE_PEM)
else: else:
with open(paths.KDC_CA_BUNDLE_PEM, 'w'): with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
pass pass
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
with open(paths.CA_BUNDLE_PEM, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
http_ca_cert_file.write(options._http_ca_cert)
os.chmod(paths.CA_BUNDLE_PEM, 0o444) os.chmod(paths.CA_BUNDLE_PEM, 0o444)
with redirect_stdout(ansible_log): with redirect_stdout(ansible_log):