Dne 16.10.2014 v 17:29 Jan Cholasta napsal(a):
Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a):
On 8.10.2014 10:38, Jan Cholasta wrote:
Hi,
the attached patches fix <https://fedorahosted.org/freeipa/ticket/4550>.
Honza
Works fine. Just minor ones:
1. The new option deserves a 'help' text.
basic_group.add_option("--request-cert", dest="request_cert",
action="store_true", default=False)
Good point, will fix.
2. Typo: 'A RA is not'
Not a typo, it was reverted from
<https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1&id=058c1f453c4e2df38eec57ba605cd5dc492eb978>
and has been around since
<https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1&id=67c7bd3060461f0050640aca682da155e667875b>.
Updated rebased patches attached.
--
Jan Cholasta
>From d79850e08cbfe8fc3954313bc53049b602140bfc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 8 Oct 2014 10:27:25 +0200
Subject: [PATCH 1/2] Fix certmonger.request_cert
https://fedorahosted.org/freeipa/ticket/4550
---
ipapython/certmonger.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index dc6cff9..ac095f0 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -254,9 +254,14 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
Execute certmonger to request a server certificate.
"""
cm = _connect_to_certmonger()
+ ca_path = cm.obj_if.find_ca_by_nickname('IPA')
+ if not ca_path:
+ raise RuntimeError('IPA CA not found')
request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
- SUBJECT=subject, PRINCIPAL=principal,)
+ KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
+ SUBJECT=subject, PRINCIPAL=[principal],
+ CA=ca_path)
if passwd_fname:
request_parameters['KEY_PIN_FILE'] = passwd_fname
result = cm.obj_if.add_request(request_parameters)
--
1.9.3
>From 0b2f44fbef89e2d0998b57bb423841771a6e1955 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 7 Oct 2014 19:07:13 +0200
Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request
cert for the host
The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".
https://fedorahosted.org/freeipa/ticket/4550
---
ipa-client/ipa-install/ipa-client-install | 105 ++++++++++++++++++++++++++----
ipa-client/man/ipa-client-install.1 | 4 ++
2 files changed, 97 insertions(+), 12 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df9..3b6e581 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
if not os.path.exists(value):
@@ -158,6 +156,9 @@ def parse_options():
basic_group.add_option("--ca-cert-file", dest="ca_cert_file",
type="string", action="callback", callback=validate_ca_cert_file_option,
help="load the CA certificate from this file")
+ basic_group.add_option("--request-cert", dest="request_cert",
+ action="store_true", default=False,
+ help="request certificate for the machine")
# --on-master is used in ipa-server-install and ipa-replica-install
# only, it isn't meant to be used on clients.
basic_group.add_option("--on-master", dest="on_master", action="store_true",
@@ -482,11 +483,11 @@ def uninstall(options, env):
if hostname is None:
hostname = socket.getfqdn()
- client_nss_nickname = client_nss_nickname_format % hostname
+ ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
# Always start certmonger. We can't untrack something if it isn't
- # running. Note that this is legacy code to untrack any certificates
- # that were created by previous versions of this installer.
+ # running
messagebus = services.knownservices.messagebus
try:
messagebus.start()
@@ -499,14 +500,24 @@ def uninstall(options, env):
except Exception, e:
log_service_error(cmonger.service_name, 'start', e)
- try:
- certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
- except (CalledProcessError, RuntimeError), e:
- root_logger.error("%s failed to stop tracking certificate: %s",
- cmonger.service_name, str(e))
+ if ipa_db.has_nickname('Local IPA host'):
+ try:
+ certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host')
+ except RuntimeError, e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
+
+ client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+ if sys_db.has_nickname(client_nss_nickname):
+ try:
+ certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=client_nss_nickname)
+ except RuntimeError, e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
# Remove our host cert and CA cert
- ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
try:
ipa_certs = ipa_db.list_certs()
except CalledProcessError, e:
@@ -523,7 +534,6 @@ def uninstall(options, env):
except OSError, e:
root_logger.error("Failed to remove %s: %s", filename, e)
- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname, trust_flags in ipa_certs:
while sys_db.has_nickname(nickname):
try:
@@ -1082,6 +1092,75 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
return 0
+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+ remote_env):
+ if not options.request_cert:
+ return
+
+ if not remote_env['enable_ra']:
+ root_logger.warning(
+ "An RA is not configured on the server. "
+ "Not requesting host certificate.")
+ return
+
+ started = True
+ principal = 'host/%s@%s' % (hostname, cli_realm)
+
+ messagebus = services.knownservices.messagebus
+ try:
+ messagebus.start()
+ except Exception, e:
+ log_service_error(messagebus.service_name, 'start', e)
+
+ # Ensure that certmonger has been started at least once to generate the
+ # cas files in /var/lib/certmonger/cas.
+ cmonger = services.knownservices.certmonger
+ try:
+ cmonger.restart()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'restart', e)
+
+ if options.hostname:
+ # It needs to be stopped if we touch them
+ try:
+ cmonger.stop()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'stop', e)
+ # If the hostname is explicitly set then we need to tell certmonger
+ # which principal name to use when requesting certs.
+ certmonger.add_principal_to_cas(principal)
+
+ try:
+ cmonger.restart()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'restart', e)
+ root_logger.warning(
+ "Automatic certificate management will not be available")
+ started = False
+
+ try:
+ cmonger.enable()
+ except Exception, e:
+ root_logger.error(
+ "Failed to configure automatic startup of the %s daemon: %s",
+ cmonger.service_name, str(e))
+ root_logger.warning(
+ "Automatic certificate management will not be available")
+
+ # Request our host cert
+ if started:
+ subject = str(DN(('CN', hostname), subject_base))
+ passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+ try:
+ certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host',
+ subject=subject,
+ principal=principal,
+ passwd_fname=passwd_fname)
+ except Exception:
+ root_logger.error("%s request for host certificate failed",
+ cmonger.service_name)
+
def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
try:
sssdconfig = SSSDConfig.SSSDConfig()
@@ -2612,6 +2691,8 @@ def install(options, env, fstore, statestore):
if not options.on_master:
client_dns(cli_server[0], hostname, options.dns_updates)
+ configure_certmonger(fstore, subject_base, cli_realm, hostname,
+ options, remote_env)
update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 279d66a..726a6c1 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -166,6 +166,9 @@ file. The CA certificate found in \fICA_FILE\fR is considered
authoritative and will be installed without checking to see if it's
valid for the IPA domain.
.TP
+\fB\-\-request\-cert\fR
+Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+.TP
\fB\-\-automount\-location\fR=\fILOCATION\fR
Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
automount location.
@@ -226,6 +229,7 @@ Files always created (replacing existing content):
/etc/krb5.conf\p
/etc/ipa/ca.crt\p
/etc/ipa/default.conf\p
+/etc/ipa/nssdb\p
/etc/openldap/ldap.conf\p
.TP
Files updated, existing content is maintained:
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel