diff --git a/java/code/src/com/suse/manager/ssl/SSLCertManager.java b/java/code/src/com/suse/manager/ssl/SSLCertManager.java index 0b6ac920c486..dc41892f804e 100644 --- a/java/code/src/com/suse/manager/ssl/SSLCertManager.java +++ b/java/code/src/com/suse/manager/ssl/SSLCertManager.java @@ -86,7 +86,7 @@ public SSLCertPair generateCertificate(SSLCertPair caPair, String password, SSLC FileUtils.writeStringToFile(caPair.getKey(), tempCaKeyFile.getAbsolutePath()); List command = new ArrayList<>(); - command.addAll(List.of("rhn-ssl-tool", "--gen-server", "-q", "--no-rpm")); + command.addAll(List.of("rhn-ssl-tool", "--gen-server", "-q")); command.addAll(List.of("-d", sslBuildDir.getAbsolutePath())); command.addAll(List.of("--ca-cert", tempCaCertFile.getName())); command.addAll(List.of("--ca-key", tempCaKeyFile.getName())); diff --git a/java/code/src/com/suse/manager/ssl/test/SSLCertManagerTest.java b/java/code/src/com/suse/manager/ssl/test/SSLCertManagerTest.java index 3fc5c71bb04d..38a17a971693 100644 --- a/java/code/src/com/suse/manager/ssl/test/SSLCertManagerTest.java +++ b/java/code/src/com/suse/manager/ssl/test/SSLCertManagerTest.java @@ -68,7 +68,7 @@ public void testGenerateSSLCert() throws Exception { ByteArrayOutputStream outStream = new ByteArrayOutputStream(); context().checking(new Expectations() {{ allowing(runtime).exec(with(IsArrayContainingInAnyOrder.arrayContainingInAnyOrder( - "rhn-ssl-tool", "--gen-server", "-q", "--no-rpm", "-d", tempDir.getAbsolutePath(), + "rhn-ssl-tool", "--gen-server", "-q", "-d", tempDir.getAbsolutePath(), "--ca-cert", "ca.crt", "--ca-key", "ca.key", "--set-hostname", "server.acme.lab", "--set-cname", "srv1.acme.lab", "--set-cname", "srv2.acme.lab", "--set-country", "DE", "--set-state", "Bayern", "--set-city", "Nurnberg", "--set-org", "SUSE", diff --git a/java/spacewalk-java.changes.cbosdo.no-rpm b/java/spacewalk-java.changes.cbosdo.no-rpm new file mode 100644 index 000000000000..1f75a1cd635d --- /dev/null +++ b/java/spacewalk-java.changes.cbosdo.no-rpm @@ -0,0 +1,2 @@ +- Remove rhn-ssl-tool --gen-server RPM feature and options + (bsc#1235696) diff --git a/proxy/installer/spacewalk-proxy-installer.changes.cbosdo.no-rpm b/proxy/installer/spacewalk-proxy-installer.changes.cbosdo.no-rpm new file mode 100644 index 000000000000..1f75a1cd635d --- /dev/null +++ b/proxy/installer/spacewalk-proxy-installer.changes.cbosdo.no-rpm @@ -0,0 +1,2 @@ +- Remove rhn-ssl-tool --gen-server RPM feature and options + (bsc#1235696) diff --git a/spacewalk/certs-tools/mgr-ssl-tool.sgml b/spacewalk/certs-tools/mgr-ssl-tool.sgml index 4cce5a3892d2..33eeb262ecbb 100644 --- a/spacewalk/certs-tools/mgr-ssl-tool.sgml +++ b/spacewalk/certs-tools/mgr-ssl-tool.sgml @@ -47,7 +47,6 @@ Generate and maintain SSL keys, certificates and deployment RPMs. (advanced) mgr-ssl-tool --gen-server --key-only --help (advanced) mgr-ssl-tool --gen-server --cert-req-only --help (advanced) mgr-ssl-tool --gen-server --cert-only --help - (advanced) mgr-ssl-tool --gen-server --rpm-only --help @@ -191,53 +190,11 @@ Generate and maintain SSL keys, certificates and deployment RPMs. generate a web server's SSL private key: --gen-server --key-only ... generate a web server's SSL certificate request: --gen-server --cert-req-only ... generate/sign a web server's SSL certificate: --gen-server --cert-only ... - generate a web server's private RPM (and tar archive used for SUSE Manager Proxy installations): --gen-server --rpm-only ... - generate a web server's private RPM using a custom SSL key and certificate: --gen-server --rpm-only --from-server-key=FILE --from-server-cert=FILE - - - - Using a 3rd party CA (rarely done in the SUSE Manager context): - - - DEPRECATED: Use - --from-ca-cert, - --from-server-key and - --from-server-cert parameters instead as - described in Advanced options section. - - - - - - CA public certificate: In the "3rd party - CA" case, simply copy the certificate authorities public - certificate to the SSL build directory; renaming it to - RHN-ORG-TRUSTED-SSL-CERT; and then run - --gen-ca --dir BUILD_DIR --rpm-only to package - that certificate in an expected manner ready for client deployment. - See further instructions in step 2. - - Web server's SSL key pair(set): Usually, - one creates the web server's SSL private key, certificate-request - and certificate in one step. If using a 3rd party CA though, create - a web server's SSL private key and certificate-request via - --gen-server --key-only --dir BUILD_DIR and - --gen-server --cert-req-only --dir BUILD_DIR. - Have the 3rd party sign server.csr which will generate a server.crt - file. Copy that server.crt file into the - BUILD_DIR/MACHINE_NAME directory (where the - server.key file was generated). And then create your deployable RPM - with --gen-server --rpm-only --dir BUILD_DIR. - - - - - NOTE: each step (--gen-* or --gen-* @@ -557,14 +514,6 @@ Generate and maintain SSL keys, certificates and deployment RPMs. - --server-rpm - - (rarely changed) RPM name that houses the web - server's SSL key set (the base filename, not - filename-version-release.noarch.rpm). - - - --server-tar (rarely changed) name of archive (tarball) of the web @@ -574,35 +523,6 @@ Generate and maintain SSL keys, certificates and deployment RPMs. - --rpm-packager - - (rarely used) packager of the generated RPM, such as - "SUSE Manager Admin <rhn-admin@example.com>". - - - - --rpm-vendor - - (rarely used) vendor of the generated RPM, such as - "IS/IT Example Corp.". - - - - --rpm-only - - (rarely used) only generate a deployable RPM. - Try --gen-server --rpm-only --help for - more information. - - - - --no-rpm - - (rarely used) do everything *except* generate an - RPM. - - - -h | --help help message. @@ -645,8 +565,6 @@ Generate and maintain SSL keys, certificates and deployment RPMs. BUILD_DIR/MACHINE_NAME/server.key BUILD_DIR/MACHINE_NAME/server.csr BUILD_DIR/MACHINE_NAME/server.crt - BUILD_DIR/MACHINE_NAME/rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.src.rpm - BUILD_DIR/MACHINE_NAME/rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm BUILD_DIR/MACHINE_NAME/rhn-org-httpd-ssl-archive-MACHINE_NAME-VER-REL.tar diff --git a/spacewalk/certs-tools/rhn_ssl_tool.py b/spacewalk/certs-tools/rhn_ssl_tool.py index 694025de2a59..914f6178f48f 100755 --- a/spacewalk/certs-tools/rhn_ssl_tool.py +++ b/spacewalk/certs-tools/rhn_ssl_tool.py @@ -38,7 +38,6 @@ import os import sys import glob -import pwd import time import shutil import getpass @@ -83,8 +82,6 @@ LEGACY_SERVER_RPM_NAME2, CA_OPENSSL_CNF_NAME, SERVER_OPENSSL_CNF_NAME, - POST_UNINSTALL_SCRIPT, - SERVER_RPM_SUMMARY, CA_CERT_RPM_SUMMARY, ) @@ -850,35 +847,6 @@ def genServerCert(password, d, verbosity=0): pass -def gen_jabberd_cert(d): - """ - generate the jabberd ssl cert from the server cert and key - """ - - # pylint: disable-next=invalid-name - serverKeyPairDir = os.path.join(d["--dir"], getMachineName(d["--set-hostname"])) - server_key = os.path.join(serverKeyPairDir, d["--server-key"]) - server_cert = os.path.join(serverKeyPairDir, d["--server-cert"]) - - dependencyCheck(server_key) - dependencyCheck(server_cert) - - jabberd_ssl_cert_name = os.path.basename(d["--jabberd-ssl-cert"]) - jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name) - - # Create the jabberd cert - need to concatenate the cert and the key - # XXX there really should be some better error propagation here - fd = None - try: - fd = os.open(jabberd_ssl_cert, os.O_WRONLY | os.O_CREAT) - _copy_file_to_fd(cleanupAbsPath(server_cert), fd) - _copy_file_to_fd(cleanupAbsPath(server_key), fd) - finally: - if fd: - os.close(fd) - return - - # pylint: disable-next=invalid-name def _disableRpmMacros(): mac = cleanupAbsPath("~/.rpmmacros") @@ -1054,12 +1022,10 @@ def genProxyServerTarball_dependencies(d): ca_cert = pathJoin(d["--dir"], d["--ca-cert"]) server_key = pathJoin(serverKeySetDir, d["--server-key"]) server_cert = pathJoin(serverKeySetDir, d["--server-cert"]) - jabberd_ssl_cert = pathJoin(serverKeySetDir, d["--jabberd-ssl-cert"]) dependencyCheck(ca_cert) dependencyCheck(server_key) dependencyCheck(server_cert) - dependencyCheck(jabberd_ssl_cert) # pylint: disable-next=invalid-name @@ -1124,7 +1090,6 @@ def genProxyServerTarball(d, version="1.0", release="1", verbosity=0): repr(os.path.basename(d["--ca-cert"])), repr(pathJoin(machinename, d["--server-key"])), repr(pathJoin(machinename, d["--server-cert"])), - repr(os.path.join(machinename, d["--jabberd-ssl-cert"])), ] # pylint: disable-next=invalid-name @@ -1207,273 +1172,6 @@ def genProxyServerTarball(d, version="1.0", release="1", verbosity=0): return tarballFilepath2 -# pylint: disable-next=invalid-name -def genServerRpm_dependencies(d): - """generates server's SSL key set RPM - dependencies check""" - - # pylint: disable-next=invalid-name - serverKeyPairDir = os.path.join(d["--dir"], getMachineName(d["--set-hostname"])) - gendir(serverKeyPairDir) - - server_key_name = os.path.basename(d["--server-key"]) - server_key = os.path.join(serverKeyPairDir, server_key_name) - - server_cert_name = os.path.basename(d["--server-cert"]) - server_cert = os.path.join(serverKeyPairDir, server_cert_name) - - server_cert_req_name = os.path.basename(d["--server-cert-req"]) - # pylint: disable-next=unused-variable - server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) - - jabberd_ssl_cert_name = os.path.basename(d["--jabberd-ssl-cert"]) - # pylint: disable-next=unused-variable - jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name) - - dependencyCheck(server_key) - dependencyCheck(server_cert) - - gen_jabberd_cert(d) - - -# pylint: disable-next=invalid-name -def genServerRpm(d, verbosity=0): - """generates server's SSL key set RPM""" - - # pylint: disable-next=invalid-name - serverKeyPairDir = os.path.join(d["--dir"], getMachineName(d["--set-hostname"])) - - server_key_name = os.path.basename(d["--server-key"]) - server_key = os.path.join(serverKeyPairDir, server_key_name) - - server_cert_name = os.path.basename(d["--server-cert"]) - server_cert = os.path.join(serverKeyPairDir, server_cert_name) - - server_cert_req_name = os.path.basename(d["--server-cert-req"]) - server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) - - jabberd_ssl_cert_name = os.path.basename(d["--jabberd-ssl-cert"]) - jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name) - - server_rpm_name = os.path.basename(d["--server-rpm"]) - server_rpm = os.path.join(serverKeyPairDir, server_rpm_name) - - postun_scriptlet = os.path.join(d["--dir"], "postun.scriptlet") - - genServerRpm_dependencies(d) - - if verbosity >= 0: - sys.stderr.write("\n...working...\n") - # check for old installed RPM. - # pylint: disable-next=invalid-name - oldHdr = getInstalledHeader(LEGACY_SERVER_RPM_NAME1) - if oldHdr and LEGACY_SERVER_RPM_NAME1 != server_rpm_name: - sys.stderr.write( - # pylint: disable-next=consider-using-f-string - """ -** NOTE ** older-styled RPM installed (%s), - it needs to be removed before installing the web server's RPM that - is about to generated. -""" - % LEGACY_SERVER_RPM_NAME1 - ) - - if not oldHdr: - # pylint: disable-next=invalid-name - oldHdr = getInstalledHeader(LEGACY_SERVER_RPM_NAME2) - if oldHdr and LEGACY_SERVER_RPM_NAME2 != server_rpm_name: - sys.stderr.write( - # pylint: disable-next=consider-using-f-string - """ -** NOTE ** older-styled RPM installed (%s), - it needs to be removed before installing the web server's RPM that - is about to generated. -""" - % LEGACY_SERVER_RPM_NAME2 - ) - - # check for new installed RPM. - # Work out the release number. - hdr = getInstalledHeader(server_rpm_name) - - # find RPMs in the directory as well. - # pylint: disable-next=consider-using-f-string - filenames = glob.glob("%s-*.noarch.rpm" % server_rpm) - if filenames: - filename = sortRPMs(filenames)[-1] - h = get_package_header(filename) - if hdr is None: - hdr = h - else: - comp = hdrLabelCompare(h, hdr) - if comp > 0: - hdr = h - - # pylint: disable-next=unused-variable - epo, ver, rel = None, "1.0", "0" - if hdr is not None: - epo, ver, rel = hdr["epoch"], hdr["version"], hdr["release"] - - # bump the release - and let's not be too smart about it - # assume the release is a number. - if rel: - rel = str(int(rel) + 1) - - description = ( - SERVER_RPM_SUMMARY - # pylint: disable-next=consider-using-f-string - + """ -Best practices suggests that this RPM should only be installed on the web -server with this hostname: %s -""" - % d["--set-hostname"] - ) - - # Determine which jabberd user exists: - jabberd_user = None - possible_jabberd_users = ["jabberd", "jabber"] - for juser_attempt in possible_jabberd_users: - try: - pwd.getpwnam(juser_attempt) - jabberd_user = juser_attempt - # pylint: disable-next=bare-except - except: - # user doesn't exist, try the next - pass - if jabberd_user is None: - print( - "WARNING: No jabber/jabberd user on system, skipping " - + "jabberd.pem generation." - ) - - jabberd_cert_string = "" - if jabberd_user is not None: - # pylint: disable-next=consider-using-f-string - jabberd_cert_string = "/etc/pki/spacewalk/jabberd/server.pem:0600,%s,%s=%s" % ( - jabberd_user, - jabberd_user, - repr(cleanupAbsPath(jabberd_ssl_cert)), - ) - - ## build the server RPM - args = ( - # pylint: disable-next=consider-using-f-string - os.path.join(CERT_PATH, "gen-rpm.sh") + " " - "--name %s --version %s --release %s --packager %s --vendor %s " - "--group 'RHN/Security' --summary %s --description %s --postun %s " - "/etc/httpd/conf/ssl.key/server.key:0600=%s " - "/etc/httpd/conf/ssl.crt/server.crt=%s " - "%s " - % ( - repr(server_rpm_name), - ver, - rel, - repr(d["--rpm-packager"]), - repr(d["--rpm-vendor"]), - repr(SERVER_RPM_SUMMARY), - repr(description), - repr(cleanupAbsPath(postun_scriptlet)), - repr(cleanupAbsPath(server_key)), - repr(cleanupAbsPath(server_cert)), - jabberd_cert_string, - ) - ) - - abs_server_cert_req = cleanupAbsPath(server_cert_req) - if os.path.exists(abs_server_cert_req): - # pylint: disable-next=consider-using-f-string - args += "/etc/httpd/conf/ssl.csr/server.csr=%s" % repr(abs_server_cert_req) - else: - sys.stderr.write( - # pylint: disable-next=consider-using-f-string - "WARNING: Not bundling %s to server RPM " - "(file not found)." % repr(server_cert_req) - ) - - # pylint: disable-next=invalid-name,consider-using-f-string - serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel) - - if verbosity >= 0: - print( - # pylint: disable-next=consider-using-f-string - """ -Generating web server's SSL key pair/set RPM: - %s.src.rpm - %s.noarch.rpm""" - % (serverRpmName, serverRpmName) - ) - if verbosity > 1: - print("Commandline:", args) - - if verbosity >= 4: - print("Current working directory:", os.getcwd()) - print("Writing postun_scriptlet:", postun_scriptlet) - # pylint: disable-next=unspecified-encoding - open(postun_scriptlet, "w").write(POST_UNINSTALL_SCRIPT) - - _disableRpmMacros() - cwd = chdir(serverKeyPairDir) - try: - ret, out_stream, err_stream = rhn_popen(args) - finally: - chdir(cwd) - _reenableRpmMacros() - os.unlink(postun_scriptlet) - - out = out_stream.read() - out_stream.close() - err = err_stream.read() - err_stream.close() - - # pylint: disable-next=consider-using-f-string - if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName): - raise GenServerRpmException( - # pylint: disable-next=consider-using-f-string - "web server's SSL key set RPM generation " - "failed:\n%s\n%s" % (out, err) - ) - if verbosity > 2: - if out: - print("STDOUT:", out) - if err: - print("STDERR:", err) - - # pylint: disable-next=consider-using-f-string - os.chmod("%s.noarch.rpm" % serverRpmName, int("0600", 8)) - - # generic the tarball necessary for Spacewalk Proxy against hosted installations - # pylint: disable-next=invalid-name - tarballFilepath = genProxyServerTarball( - d, version=ver, release=rel, verbosity=verbosity - ) - - # write-out latest.txt information - latest_txt = os.path.join(serverKeyPairDir, "latest.txt") - fo = open(latest_txt, "wb") - # pylint: disable-next=consider-using-f-string - fo.write(bstr("%s.noarch.rpm\n" % os.path.basename(serverRpmName))) - # pylint: disable-next=consider-using-f-string - fo.write(bstr("%s.src.rpm\n" % os.path.basename(serverRpmName))) - # pylint: disable-next=consider-using-f-string - fo.write(bstr("%s\n" % os.path.basename(tarballFilepath))) - fo.close() - os.chmod(latest_txt, int("0600", 8)) - - if verbosity >= 0: - print( - # pylint: disable-next=consider-using-f-string - """ -Deploy the server's SSL key pair/set RPM: - (NOTE: the SUSE Manager or Proxy installers may do this step for you.) - The "noarch" RPM needs to be deployed to the machine working as a - web server, or SUSE Manager, or SUSE Manager Proxy. - Presumably %s.""" - % repr(d["--set-hostname"]) - ) - - # pylint: disable-next=consider-using-f-string - return "%s.noarch.rpm" % serverRpmName - - # Helper function def _copy_file_to_fd(filename, fd): # pylint: disable-next=unspecified-encoding @@ -1674,21 +1372,11 @@ def _main(): elif getOption(options, "cert_only"): genServerCert_dependencies(getCAPassword(options, confirmYN=0), DEFS) genServerCert(getCAPassword(options, confirmYN=0), DEFS, options.verbose) - elif getOption(options, "rpm_only"): - if getOption(options, "from_server_key"): - _copy_server_ssl_key(DEFS, getOption(options, "from_server_key")) - if getOption(options, "from_server_cert"): - _copy_server_ssl_cert(DEFS, getOption(options, "from_server_cert")) - genServerRpm_dependencies(DEFS) - genServerRpm(DEFS, options.verbose) else: genServer_dependencies(getCAPassword(options, confirmYN=0), DEFS) genServerKey(DEFS, options.verbose) genServerCertReq(DEFS, options.verbose) genServerCert(getCAPassword(options, confirmYN=0), DEFS, options.verbose) - gen_jabberd_cert(DEFS) - if not getOption(options, "no_rpm"): - genServerRpm(DEFS, options.verbose) def main(): diff --git a/spacewalk/certs-tools/spacewalk-certs-tools.changes.cbosdo.no-rpm b/spacewalk/certs-tools/spacewalk-certs-tools.changes.cbosdo.no-rpm new file mode 100644 index 000000000000..1f75a1cd635d --- /dev/null +++ b/spacewalk/certs-tools/spacewalk-certs-tools.changes.cbosdo.no-rpm @@ -0,0 +1,2 @@ +- Remove rhn-ssl-tool --gen-server RPM feature and options + (bsc#1235696) diff --git a/spacewalk/certs-tools/sslToolCli.py b/spacewalk/certs-tools/sslToolCli.py index 430ab4e1939c..7406e03a20b9 100644 --- a/spacewalk/certs-tools/sslToolCli.py +++ b/spacewalk/certs-tools/sslToolCli.py @@ -167,13 +167,6 @@ def _getOptionsTree(defs): help="(rarely changed) RPM name that houses the CA SSL public certificate (the base filename, not filename-version-release.noarch.rpm).", ) # pylint: disable-next=invalid-name - _optServerRpm = make_option( - "--server-rpm", - action="store", - type="string", - help="(rarely changed) RPM name that houses the web server's SSL key set (the base filename, not filename-version-release.noarch.rpm).", - ) - # pylint: disable-next=invalid-name _optServerTar = make_option( "--server-tar", action="store", @@ -215,20 +208,6 @@ def _getOptionsTree(defs): type="string", help="(for usage with --gen-ca and --rpm-only) Use a custom CA certificate from the given file. Note this doesn't affect the output CA certificate filename (for this use --ca-cert option).", ) - # pylint: disable-next=invalid-name - _optFromServerKey = make_option( - "--from-server-key", - action="store", - type="string", - help="(for usage with --gen-server and --rpm-only) Use a server private SSL key from the given file. Note this doesn't affect the output server key filename (for this use --server-key option).", - ) - # pylint: disable-next=invalid-name - _optFromServerCert = make_option( - "--from-server-cert", - action="store", - type="string", - help="(for usage with --gen-server and --rpm-only) Use server public SSL certificate from the given file. Note this doesn't affect the output server certificate filename (for this use --server-cert option).", - ) # pylint: disable-next=invalid-name _optSetHostname = make_option( @@ -456,8 +435,7 @@ def _getOptionsTree(defs): + _serverConfOptions + _genOptions + [_optServerKeyOnly, _optServerCertReqOnly, _optServerCertOnly] - + _buildRpmOptions - + [_optServerRpm, _optServerTar, _optNoRpm] + + [_optServerTar] ) # pylint: disable-next=invalid-name _serverKeyOnlySet = ( @@ -476,21 +454,6 @@ def _getOptionsTree(defs): _serverCertOnlySet = ( [_optGenServer] + _serverCertOptions + _genOptions + [_optServerCertOnly] ) - # pylint: disable-next=invalid-name - _serverRpmOnlySet = ( - [ - _optGenServer, - _optServerKey, - _optServerCertReq, - _optServerCert, - _optSetHostname, - _optSetCname, - ] - + _buildRpmOptions - + [_optFromServerKey, _optFromServerCert] - + [_optServerRpm, _optServerTar] - + _genOptions - ) # CA key check set possibilities # pylint: disable-next=invalid-name @@ -544,7 +507,6 @@ def _getOptionsTree(defs): optionsTree["--gen-server"] = _serverCertReqOnlySet elif "--rpm-only" in sys.argv: optionsTree["--gen-ca"] = _caRpmOnlySet - optionsTree["--gen-server"] = _serverRpmOnlySet # pylint: disable-next=invalid-name baseOptions = [_optGenCa, _optGenServer, _optCheckKey, _optCheckCert] diff --git a/spacewalk/certs-tools/sslToolConfig.py b/spacewalk/certs-tools/sslToolConfig.py index e59460b7a10a..0d8aba9059fd 100644 --- a/spacewalk/certs-tools/sslToolConfig.py +++ b/spacewalk/certs-tools/sslToolConfig.py @@ -37,7 +37,7 @@ ) # pylint: disable-next=unused-import -from .sslToolLib import getMachineName, daysTil18Jan2038, incSerial, fixSerial +from .sslToolLib import getMachineName, daysTil18Jan2038, fixSerial from rhn.stringutils import sstr # defaults where we can see them (NOTE: directory is figured at write time) @@ -113,7 +113,6 @@ def getStartDate_aWeekAgo(): "--server-key": "server.key", "--server-cert-req": "server.csr", "--server-cert": "server.crt", - "--jabberd-ssl-cert": "server.pem", "--set-country": "US", "--set-common-name": "", # these two will never appear "--set-hostname": HOSTNAME, # at the same time on the CLI @@ -839,33 +838,6 @@ def save(self, d, caYN=0, verbosity=0): ## generated RPM "configuration" dumping ground: ## -POST_UNINSTALL_SCRIPT = """\ -if [ \$1 = 0 ]; then - # The following steps are copied from mod_ssl's postinstall scriptlet - # Make sure the permissions are okay - umask 077 - - if [ ! -f /etc/httpd/conf/ssl.key/server.key ] ; then - /usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > /etc/httpd/conf/ssl.key/server.key 2> /dev/null - fi - - if [ ! -f /etc/httpd/conf/ssl.crt/server.crt ] ; then - cat << EOF | /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt 2>/dev/null --- -SomeState -SomeCity -SomeOrganization -SomeOrganizationalUnit -localhost.localdomain -root@localhost.localdomain -EOF - fi - /sbin/service httpd graceful || /sbin/service httpd try-restart - exit 0 -fi -""" - -SERVER_RPM_SUMMARY = "Organizational server (httpd) SSL key-pair/key-set." CA_CERT_RPM_SUMMARY = "Organizational public SSL CA certificate " "(client-side)." diff --git a/spacewalk/setup/bin/spacewalk-setup b/spacewalk/setup/bin/spacewalk-setup index 0fbf2b9f5df2..cc97ab8b2295 100755 --- a/spacewalk/setup/bin/spacewalk-setup +++ b/spacewalk/setup/bin/spacewalk-setup @@ -600,7 +600,7 @@ sub generate_server_cert { $params{'cert-expiration'} *= 365; - my @opts = ("--gen-server", "--no-rpm"); + my @opts = ("--gen-server"); foreach my $name (keys %params) { next unless ($params{$name}); diff --git a/spacewalk/setup/spacewalk-setup.changes.cbosdo.no-rpm b/spacewalk/setup/spacewalk-setup.changes.cbosdo.no-rpm new file mode 100644 index 000000000000..1f75a1cd635d --- /dev/null +++ b/spacewalk/setup/spacewalk-setup.changes.cbosdo.no-rpm @@ -0,0 +1,2 @@ +- Remove rhn-ssl-tool --gen-server RPM feature and options + (bsc#1235696) diff --git a/utils/spacewalk-hostname-rename b/utils/spacewalk-hostname-rename index 27b5a55c32fe..678a0b69bc9f 100755 --- a/utils/spacewalk-hostname-rename +++ b/utils/spacewalk-hostname-rename @@ -373,7 +373,7 @@ function re-generate_server_ssl_certificate { else echo " No need to generate a new SSL CA Certificate" | tee -a $LOG fi - echo "rhn-ssl-tool --gen-server --no-rpm \ + echo "rhn-ssl-tool --gen-server \ --dir="$SSL_BUILD_DIR" \ --set-country="$SSL_COUNTRY" \ --set-state="$SSL_STATE" \ @@ -383,7 +383,7 @@ function re-generate_server_ssl_certificate { --set-email="$SSL_EMAIL" \ --set-hostname="${HOSTNAME}" \ " >> $LOG - rhn-ssl-tool --gen-server --no-rpm \ + rhn-ssl-tool --gen-server \ --dir="$SSL_BUILD_DIR" \ --set-country="$SSL_COUNTRY" \ --set-state="$SSL_STATE" \ diff --git a/utils/spacewalk-utils.changes.cbosdo.no-rpm b/utils/spacewalk-utils.changes.cbosdo.no-rpm new file mode 100644 index 000000000000..1f75a1cd635d --- /dev/null +++ b/utils/spacewalk-utils.changes.cbosdo.no-rpm @@ -0,0 +1,2 @@ +- Remove rhn-ssl-tool --gen-server RPM feature and options + (bsc#1235696)