Hi,
Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
No longer request and install a cert for the IPA client machine.
rob
The original plan was to keep generating the certificate, but in
/etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
I'm fine with either approach.
--
Jan Cholasta
>From 4698fca8d4c749f599f67ee3175a23474dacf953 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 4 Sep 2014 14:24:47 +0200
Subject: [PATCH] Do not use /etc/pki/nssdb for IPA host certificate in
ipa-client-install
Put the certificate in /etc/ipa/nssdb instead and shorten its nickname.
https://fedorahosted.org/freeipa/ticket/4449
---
freeipa.spec.in | 6 +++
ipa-client/ipa-install/ipa-client-install | 69 ++++++++++++++++++++++++-------
ipaplatform/base/paths.py | 1 +
3 files changed, 61 insertions(+), 15 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5b9fa8e..2d9b7b3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -413,6 +413,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
mkdir -p %{buildroot}%{_sysconfdir}/ipa/
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
+install -d -m 755 %{buildroot}%{_sysconfdir}/ipa/nssdb
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
%if ! %{ONLY_CLIENT}
@@ -782,6 +783,11 @@ fi
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%if ! %{ONLY_CLIENT}
%files tests -f tests-python.list
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 617db26..82ca904 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -73,7 +73,7 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
+client_nss_nickname = 'This host'
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
@@ -225,8 +225,10 @@ def logging_setup(options):
def log_service_error(name, action, error):
root_logger.error("%s failed to %s: %s", name, action, str(error))
-def nickname_exists(nickname):
- (sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False)
+def nickname_exists(nickname, db_dir=paths.NSS_DB_DIR):
+ (sout, serr, returncode) = run([paths.CERTUTIL, "-L",
+ "-d", db_dir,
+ "-n", nickname], raiseonerr=False)
if returncode == 0:
return True
@@ -480,8 +482,6 @@ def uninstall(options, env):
if hostname is None:
hostname = socket.getfqdn()
- client_nss_nickname = client_nss_nickname_format % hostname
-
# Remove our host cert and CA cert
if nickname_exists("IPA CA"):
try:
@@ -505,17 +505,38 @@ def uninstall(options, env):
log_service_error(cmonger.service_name, 'start', e)
try:
- certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
+ certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname=client_nss_nickname)
except (CalledProcessError, RuntimeError), e:
root_logger.error("%s failed to stop tracking certificate: %s",
- cmonger.service_name, str(e))
+ cmonger.service_name, e)
- if nickname_exists(client_nss_nickname):
+ if nickname_exists(client_nss_nickname, paths.IPA_NSSDB_DIR):
try:
- run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", client_nss_nickname])
+ ipautil.run([paths.CERTUTIL, '-D',
+ '-d', paths.IPA_NSSDB_DIR,
+ '-n', client_nss_nickname])
except Exception, e:
- root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s",
- client_nss_nickname, str(e))
+ root_logger.error("Failed to remove %s from %s: %s",
+ client_nss_nickname, paths.IPA_NSSDB_DIR, e)
+
+ legacy_client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+
+ try:
+ certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=legacy_client_nss_nickname)
+ except (CalledProcessError, RuntimeError), e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
+
+ if nickname_exists(legacy_client_nss_nickname):
+ try:
+ ipautil.run([paths.CERTUTIL, '-D',
+ '-d', paths.NSS_DB_DIR,
+ '-n', legacy_client_nss_nickname])
+ except Exception, e:
+ root_logger.error("Failed to remove %s from %s: %s",
+ legacy_client_nss_nickname, paths.NSS_DB_DIR, e)
try:
cmonger.stop()
@@ -1114,12 +1135,30 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
# Request our host cert
if remote_env['enable_ra']:
if started:
- client_nss_nickname = client_nss_nickname_format % hostname
+ # FIXME: replace with NSSDatabase code when
+ # <https://fedorahosted.org/freeipa/ticket/4416> is fixed
+ passwd_filename = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+ if not ipautil.file_exists(passwd_filename):
+ with open(passwd_filename, 'w') as f:
+ f.write(ipautil.ipa_generate_password(pwd_len=40))
+ os.chmod(passwd_filename, 0600)
+ try:
+ ipautil.run([paths.CERTUTIL, '-N',
+ '-d', paths.IPA_NSSDB_DIR,
+ '-f', passwd_filename])
+ except CalledProcessError, e:
+ root_logger.error(
+ "Failed to create IPA NSS database: %s", e)
+ os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), 0644)
+ os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), 0644)
+ os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), 0644)
+
subject = DN(('CN', hostname), subject_base)
try:
- run(["ipa-getcert", "request", "-d", paths.NSS_DB_DIR,
- "-n", client_nss_nickname, "-N", str(subject),
- "-K", principal])
+ certmonger.request_cert(paths.IPA_NSSDB_DIR,
+ client_nss_nickname,
+ str(subject), principal,
+ passwd_filename)
except Exception:
root_logger.error("%s request for host certificate failed",
cmonger.service_name)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 92ccb76..546fa1b 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -63,6 +63,7 @@ class BasePathNamespace(object):
IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
IPA_CA_CRT = "/etc/ipa/ca.crt"
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+ IPA_NSSDB_DIR = "/etc/ipa/nssdb"
KRB5_CONF = "/etc/krb5.conf"
KRB5_KEYTAB = "/etc/krb5.keytab"
LDAP_CONF = "/etc/ldap.conf"
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel