[Freeipa-devel] [PATCH] 530 make client machine cert nickname more unique

Rob Crittenden Fri, 17 Sep 2010 13:37:57 -0700

We issue a server certificate into /etc/pki/nssdb when a client isenrolled. Use a more unique nickname of 'IPA Machine Certificate -<fqdn>' rather than Server-Cert.

rob

>From 6a65c39bd775f44c359667e77bbd240e8c3a6356 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Fri, 17 Sep 2010 16:32:35 -0400
Subject: [PATCH] Use a more specific name for the IPA server certificate we install.


This should avoid conflicts with any other certs that might be installed
there.

ticket 49
---
 ipa-client/ipa-install/ipa-client-install |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index cf002d3..5431909 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,6 +23,7 @@ try:
     import sys
 
     import os
+    import time
     import socket
     import logging
     import tempfile
@@ -46,6 +47,7 @@ error was:
 """ % sys.exc_value
     sys.exit(1)
 
+client_nss_nickname = 'IPA Machine Certificate - %s' % socket.getfqdn()
 
 def parse_options():
     parser = OptionParser(version=version.VERSION)
@@ -183,7 +185,7 @@ def uninstall(options):
             run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
         except Exception, e:
             print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
-    if nickname_exists("Server-Cert"):
+    if nickname_exists(client_nss_nickname):
         # Always start certmonger. We can't untrack something if it isn't
         # running
         try:
@@ -191,13 +193,13 @@ def uninstall(options):
         except:
             pass
         try:
-            certmonger.stop_tracking('/etc/pki/nssdb', nickname='Server-Cert')
+            certmonger.stop_tracking('/etc/pki/nssdb', nickname=client_nss_nickname)
         except (CalledProcessError, RuntimeError), e:
             logging.error("certmonger failed to stop tracking certificate: %s" % str(e))
         try:
-            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname])
         except Exception, e:
-            print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
+            print "Failed to remove %s from /etc/pki/nssdb: %s" % (client_nss_nickname, str(e))
 
     try:
         service('certmonger', 'stop')
@@ -452,7 +454,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, options):
         subject = 'CN=%s,%s' % (socket.getfqdn(), subject_base)
         principal = 'host/%...@%s' % (socket.getfqdn(), cli_realm)
         try:
-            run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", "Server-Cert", "-N", subject, "-K", principal])
+            run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname, "-N", subject, "-K", principal])
         except:
             print "certmonger request for host certificate failed"
 
@@ -708,6 +710,7 @@ def main():
         cmd.append("--enablemkhomedir")
     run(cmd)
     print message
+    time.sleep(1)
 
     #Check nss_ldap is working properly
     if not options.on_master:
-- 
1.7.2.1

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 530 make client machine cert nickname more unique

Reply via email to