Skip to content
Snippets Groups Projects
Commit 09fefbb2 authored by Thomas Woerner's avatar Thomas Woerner
Browse files

library/ipaserver_setup_ca: Use x509 IPA upstream code for pkcs12 files 

With the encoded _http_ca_cert from ipaserver_test it is possible to revert
back to the IPA upstream code to write the pkcs12 http certificates.

The passed _http_ca_cert only needs to be decoded with decode_certificate.
parent 8e6d433d
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
roles/ipaserver/library/ipaserver_setup_ca.py
+ 7
9
View file @ 09fefbb2
...@@ -163,7 +163,7 @@ from ansible.module_utils.ansible_ipa_server import ( ...@@ -163,7 +163,7 @@ from ansible.module_utils.ansible_ipa_server import (
AnsibleModuleLog, setup_logging, options, sysrestore, paths, AnsibleModuleLog, setup_logging, options, sysrestore, paths,
ansible_module_get_parsed_ip_addresses, ansible_module_get_parsed_ip_addresses,
api_Backend_ldap2, redirect_stdout, ca, installutils, ds_init_info, api_Backend_ldap2, redirect_stdout, ca, installutils, ds_init_info,
custodiainstance, write_cache, x509 custodiainstance, write_cache, x509, decode_certificate
) )
...@@ -265,8 +265,8 @@ def main(): ...@@ -265,8 +265,8 @@ def main():
# additional # additional
options.domainlevel = ansible_module.params.get('domainlevel') options.domainlevel = ansible_module.params.get('domainlevel')
options._http_ca_cert = ansible_module.params.get('_http_ca_cert') options._http_ca_cert = ansible_module.params.get('_http_ca_cert')
# tions._update_hosts_file = ansible_module.params.get( if options._http_ca_cert is not None:
# 'update_hosts_file') options._http_ca_cert = decode_certificate(options._http_ca_cert)
# init ################################################################# # init #################################################################
...@@ -322,20 +322,18 @@ def main(): ...@@ -322,20 +322,18 @@ def main():
csr_generated=True) csr_generated=True)
else: else:
# Put the CA cert where other instances expect it # Put the CA cert where other instances expect it
with open(paths.IPA_CA_CRT, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
http_ca_cert_file.write(options._http_ca_cert)
os.chmod(paths.IPA_CA_CRT, 0o444) os.chmod(paths.IPA_CA_CRT, 0o444)
if not options.no_pkinit: if not options.no_pkinit:
with open(paths.KDC_CA_BUNDLE_PEM, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert,
http_ca_cert_file.write(options._http_ca_cert) paths.KDC_CA_BUNDLE_PEM)
else: else:
with open(paths.KDC_CA_BUNDLE_PEM, 'w'): with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
pass pass
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
with open(paths.CA_BUNDLE_PEM, "w") as http_ca_cert_file: x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
http_ca_cert_file.write(options._http_ca_cert)
os.chmod(paths.CA_BUNDLE_PEM, 0o444) os.chmod(paths.CA_BUNDLE_PEM, 0o444)
with redirect_stdout(ansible_log): with redirect_stdout(ansible_log):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment