URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650
From f32d15ddf93f7275ed2e936f8694509f010f6076 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 24 Mar 2017 09:52:18 +0100 Subject: [PATCH 1/2] Get correct CA cert nickname in CA-less During CA-less installation, we initialize the HTTPD alias database from a pkcs12 file. This means there's going to be different nicknames to the added certificates. Store the CA certificate nickname in HTTPInstance__setup_ssl() to be able to correctly export it later. https://pagure.io/freeipa/issue/6806 --- ipaserver/install/httpinstance.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 01b55e7..3e4252c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -118,6 +118,7 @@ class WebGuiInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "ipa_webgui") + class HTTPInstance(service.Service): def __init__(self, fstore=None, cert_nickname='Server-Cert', api=api): @@ -130,6 +131,7 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert', service_user=HTTPD_USER, keytab=paths.HTTP_KEYTAB) + self.cacert_nickname = None self.cert_nickname = cert_nickname self.ca_is_configured = True self.keytab_user = constants.GSSPROXY_USER @@ -441,6 +443,9 @@ def __setup_ssl(self): if not server_certs: raise RuntimeError("Could not find a suitable server cert.") + # store the CA cert nickname so that we can publish it later on + self.cacert_nickname = db.cacert_name + def __import_ca_certs(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base) @@ -449,7 +454,7 @@ def __import_ca_certs(self): def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base) - ca_db.publish_ca_cert(paths.CA_CRT) + ca_db.export_pem_cert(self.cacert_nickname, paths.CA_CRT) def is_kdcproxy_configured(self): """Check if KDC proxy has already been configured in the past""" From 4e8fdf1ad0912bd775194bd8eacdc41db597a613 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 27 Mar 2017 10:31:36 +0200 Subject: [PATCH 2/2] Remove publish_ca_cert() method from NSSDatabase NSSDatabase.publish_ca_cert() is not used anymore, remove it. https://pagure.io/freeipa/issue/6806 --- ipapython/certdb.py | 8 -------- ipaserver/install/certs.py | 3 --- 2 files changed, 11 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 82b3869..625a5c1 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -577,11 +577,3 @@ def verify_ca_cert_validity(self, nickname): except ipautil.CalledProcessError: raise ValueError('invalid for a CA') - def publish_ca_cert(self, canickname, location): - args = ["-L", "-n", canickname, "-a"] - result = self.run_certutil(args, capture_output=True) - cert = result.output - fd = open(location, "w+") - fd.write(cert) - fd.close() - os.chmod(location, 0o444) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 0ca9713..16139f8 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -640,9 +640,6 @@ def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, self.export_ca_cert(nickname, False) - def publish_ca_cert(self, location): - self.nssdb.publish_ca_cert(self.cacert_name, location) - def export_pem_cert(self, nickname, location): return self.nssdb.export_pem_cert(nickname, location)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
