Hi, the attached patches fix <https://fedorahosted.org/freeipa/ticket/4550>.
Honza -- Jan Cholasta
>From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 8 Oct 2014 10:27:25 +0200 Subject: [PATCH 1/2] Fix certmonger.request_cert https://fedorahosted.org/freeipa/ticket/4550 --- ipapython/certmonger.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index bcfafda..05071a0 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -253,9 +253,12 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): Execute certmonger to request a server certificate. """ cm = _connect_to_certmonger() + ca_path = cm.obj_if.find_ca_by_nickname('IPA') request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB', CERT_LOCATION=nssdb, CERT_NICKNAME=nickname, - SUBJECT=subject, PRINCIPAL=principal,) + KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, + SUBJECT=subject, PRINCIPAL=[principal], + CA=ca_path) if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) -- 1.9.3
>From 993d4393388df2b4f0cad83ce5e1093b5c783e78 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 7 Oct 2014 19:07:13 +0200 Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request cert for the host The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 --- ipa-client/ipa-install/ipa-client-install | 104 ++++++++++++++++++++++++++---- ipa-client/man/ipa-client-install.1 | 4 ++ 2 files changed, 96 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e59df9..9584ba4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS -client_nss_nickname_format = 'IPA Machine Certificate - %s' - def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -158,6 +156,8 @@ def parse_options(): basic_group.add_option("--ca-cert-file", dest="ca_cert_file", type="string", action="callback", callback=validate_ca_cert_file_option, help="load the CA certificate from this file") + basic_group.add_option("--request-cert", dest="request_cert", + action="store_true", default=False) # --on-master is used in ipa-server-install and ipa-replica-install # only, it isn't meant to be used on clients. basic_group.add_option("--on-master", dest="on_master", action="store_true", @@ -482,11 +482,11 @@ def uninstall(options, env): if hostname is None: hostname = socket.getfqdn() - client_nss_nickname = client_nss_nickname_format % hostname + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) # Always start certmonger. We can't untrack something if it isn't - # running. Note that this is legacy code to untrack any certificates - # that were created by previous versions of this installer. + # running messagebus = services.knownservices.messagebus try: messagebus.start() @@ -499,14 +499,24 @@ def uninstall(options, env): except Exception, e: log_service_error(cmonger.service_name, 'start', e) - try: - certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) - except (CalledProcessError, RuntimeError), e: - root_logger.error("%s failed to stop tracking certificate: %s", - cmonger.service_name, str(e)) + if ipa_db.has_nickname('Local IPA host'): + try: + certmonger.stop_tracking(paths.IPA_NSSDB_DIR, + nickname='Local IPA host') + except RuntimeError, e: + root_logger.error("%s failed to stop tracking certificate: %s", + cmonger.service_name, e) + + client_nss_nickname = 'IPA Machine Certificate - %s' % hostname + if sys_db.has_nickname(client_nss_nickname): + try: + certmonger.stop_tracking(paths.NSS_DB_DIR, + nickname=client_nss_nickname) + except RuntimeError, e: + root_logger.error("%s failed to stop tracking certificate: %s", + cmonger.service_name, e) # Remove our host cert and CA cert - ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) try: ipa_certs = ipa_db.list_certs() except CalledProcessError, e: @@ -523,7 +533,6 @@ def uninstall(options, env): except OSError, e: root_logger.error("Failed to remove %s: %s", filename, e) - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) for nickname, trust_flags in ipa_certs: while sys_db.has_nickname(nickname): try: @@ -1082,6 +1091,75 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, return 0 +def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, + remote_env): + if not options.request_cert: + return + + if not remote_env['enable_ra']: + root_logger.warning( + "A RA is not configured on the server. " + "Not requesting host certificate.") + return + + started = True + principal = 'host/%s@%s' % (hostname, cli_realm) + + messagebus = services.knownservices.messagebus + try: + messagebus.start() + except Exception, e: + log_service_error(messagebus.service_name, 'start', e) + + # Ensure that certmonger has been started at least once to generate the + # cas files in /var/lib/certmonger/cas. + cmonger = services.knownservices.certmonger + try: + cmonger.restart() + except Exception, e: + log_service_error(cmonger.service_name, 'restart', e) + + if options.hostname: + # It needs to be stopped if we touch them + try: + cmonger.stop() + except Exception, e: + log_service_error(cmonger.service_name, 'stop', e) + # If the hostname is explicitly set then we need to tell certmonger + # which principal name to use when requesting certs. + certmonger.add_principal_to_cas(principal) + + try: + cmonger.restart() + except Exception, e: + log_service_error(cmonger.service_name, 'restart', e) + root_logger.warning( + "Automatic certificate management will not be available") + started = False + + try: + cmonger.enable() + except Exception, e: + root_logger.error( + "Failed to configure automatic startup of the %s daemon: %s", + cmonger.service_name, str(e)) + root_logger.warning( + "Automatic certificate management will not be available") + + # Request our host cert + if started: + subject = str(DN(('CN', hostname), subject_base)) + passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') + try: + certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, + nickname='Local IPA host', + subject=subject, + principal=principal, + passwd_fname=passwd_fname) + except Exception: + root_logger.error("%s request for host certificate failed", + cmonger.service_name) + def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname): try: sssdconfig = SSSDConfig.SSSDConfig() @@ -2612,6 +2690,8 @@ def install(options, env, fstore, statestore): if not options.on_master: client_dns(cli_server[0], hostname, options.dns_updates) + configure_certmonger(fstore, subject_base, cli_realm, hostname, + options, remote_env) update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 279d66a..726a6c1 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -166,6 +166,9 @@ file. The CA certificate found in \fICA_FILE\fR is considered authoritative and will be installed without checking to see if it's valid for the IPA domain. .TP +\fB\-\-request\-cert\fR +Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". +.TP \fB\-\-automount\-location\fR=\fILOCATION\fR Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as automount location. @@ -226,6 +229,7 @@ Files always created (replacing existing content): /etc/krb5.conf\p /etc/ipa/ca.crt\p /etc/ipa/default.conf\p +/etc/ipa/nssdb\p /etc/openldap/ldap.conf\p .TP Files updated, existing content is maintained: -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
