URL: https://github.com/freeipa/freeipa/pull/4898 Author: tiran Title: #4898: [Backport][ipa-4-8] Specify cert_paths when calling PKIConnection Action: opened
PR body: """ This PR was opened automatically because PR #4820 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4898/head:pr4898 git checkout pr4898
From 0401b77bc97b8cebe7804e8cc6c140cbff5d56e3 Mon Sep 17 00:00:00 2001 From: Alexander Scheel <[email protected]> Date: Fri, 19 Jun 2020 08:48:56 -0400 Subject: [PATCH] Specify cert_paths when calling PKIConnection PKIConnection now defaults to specifying verify=True. We've introduced a new parameter, cert_paths, to specify additional paths (directories or files) to load as certificates. Specify the IPA CA certificate file so we can guarantee connections succeed and validate the peer's certificate. Point to IPA CA certificate during pkispawn Bump pki_version to 10.9.0-0.4 (aka -b2) Fixes: https://pagure.io/freeipa/issue/8379 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155 Related: https://github.com/dogtagpki/pki/pull/443 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572 Signed-off-by: Alexander Scheel <[email protected]> Signed-off-by: Christian Heimes <[email protected]> --- freeipa.spec.in | 6 +++--- install/tools/ipa-pki-wait-running.in | 3 ++- ipaserver/install/cainstance.py | 7 +++++++ ipaserver/install/dogtaginstance.py | 3 ++- ipaserver/plugins/dogtag.py | 11 +++++------ 5 files changed, 19 insertions(+), 11 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 74e752ea56..d00b9d6401 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,9 +112,9 @@ # Fedora %endif -# 10.7.3 supports LWCA key replication using AES -# https://pagure.io/freeipa/issue/8020 -%global pki_version 10.7.3-1 +# PKIConnection has been modified to always validate certs. +# https://pagure.io/freeipa/issue/8379 +%global pki_version 10.9.0-0.4 # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-1 diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in index 69f5ec296f..4f0f2f34a7 100644 --- a/install/tools/ipa-pki-wait-running.in +++ b/install/tools/ipa-pki-wait-running.in @@ -59,7 +59,8 @@ def get_conn(hostname, subsystem): """ conn = PKIConnection( hostname=hostname, - subsystem=subsystem + subsystem=subsystem, + cert_paths=paths.IPA_CA_CRT ) logger.info( "Created connection %s://%s:%s/%s", diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 706bc28ccc..9294f1dba0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -509,6 +509,13 @@ def __spawn_instance(self): else: pki_pin = None + # When spawning a CA instance, always point to IPA_CA_CRT if it + # exists. Later, when we're performing step 2 of an external CA + # installation, we'll overwrite this key to point to the real + # external CA. + if os.path.exists(paths.IPA_CA_CRT): + cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT + if self.clone: if self.no_db_setup: cfg.update( diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 361d80a8c3..7e295665cf 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -70,7 +70,8 @@ def get_security_domain(): connection = PKIConnection( protocol='https', hostname=api.env.ca_host, - port='8443' + port='8443', + cert_paths=paths.IPA_CA_CRT ) domain_client = pki.system.SecurityDomainClient(connection) info = domain_client.get_security_domain_info() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 4de26d76fb..b300f6b181 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2082,13 +2082,12 @@ def get_client(self): 'https', self.kra_host, str(self.kra_port), - 'kra') + 'kra', + cert_paths=paths.IPA_CA_CRT + ) - connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY) - # uncomment the following when this commit makes it to release - # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c - # connection.set_authentication_cert(paths.RA_AGENT_PEM, - # paths.RA_AGENT_KEY) + connection.set_authentication_cert(paths.RA_AGENT_PEM, + paths.RA_AGENT_KEY) try: yield KRAClient(connection, crypto)
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
