[Freeipa-devel] [freeipa PR#685][opened] [4.5] Caless fix

stlaz Mon, 03 Apr 2017 05:28:02 -0700

   URL: https://github.com/freeipa/freeipa/pull/685
Author: stlaz
 Title: #685: [4.5] Caless fix
Action: opened


PR body:
"""
Get correct CA cert nickname in CA-less
    
During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it late
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/685/head:pr685
git checkout pr685

From 4d735fb432befe970787a3943b9ae286b0f008e8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Fri, 24 Mar 2017 09:52:18 +0100
Subject: [PATCH 1/2] Get correct CA cert nickname in CA-less

During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it later.

https://pagure.io/freeipa/issue/6806
---
 ipaserver/install/httpinstance.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 01b55e7..3e4252c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -118,6 +118,7 @@ class WebGuiInstance(service.SimpleServiceInstance):
     def __init__(self):
         service.SimpleServiceInstance.__init__(self, "ipa_webgui")
 
+
 class HTTPInstance(service.Service):
     def __init__(self, fstore=None, cert_nickname='Server-Cert',
                  api=api):
@@ -130,6 +131,7 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert',
             service_user=HTTPD_USER,
             keytab=paths.HTTP_KEYTAB)
 
+        self.cacert_nickname = None
         self.cert_nickname = cert_nickname
         self.ca_is_configured = True
         self.keytab_user = constants.GSSPROXY_USER
@@ -441,6 +443,9 @@ def __setup_ssl(self):
             if not server_certs:
                 raise RuntimeError("Could not find a suitable server cert.")
 
+        # store the CA cert nickname so that we can publish it later on
+        self.cacert_nickname = db.cacert_name
+
     def __import_ca_certs(self):
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                           subject_base=self.subject_base)
@@ -449,7 +454,7 @@ def __import_ca_certs(self):
     def __publish_ca_cert(self):
         ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                              subject_base=self.subject_base)
-        ca_db.publish_ca_cert(paths.CA_CRT)
+        ca_db.export_pem_cert(self.cacert_nickname, paths.CA_CRT)
 
     def is_kdcproxy_configured(self):
         """Check if KDC proxy has already been configured in the past"""

From 90acad7c3077a0f4b19626f7bd243f0aa4446d61 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Mon, 27 Mar 2017 10:31:36 +0200
Subject: [PATCH 2/2] Remove publish_ca_cert() method from NSSDatabase

NSSDatabase.publish_ca_cert() is not used anymore, remove it.

https://pagure.io/freeipa/issue/6806
---
 ipapython/certdb.py        | 9 ---------
 ipaserver/install/certs.py | 3 ---
 2 files changed, 12 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index f1410e5..0665f94 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -596,12 +596,3 @@ def verify_ca_cert_validity(self, nickname):
         finally:
             del certdb, cert
             nss.nss_shutdown()
-
-    def publish_ca_cert(self, canickname, location):
-        args = ["-L", "-n", canickname, "-a"]
-        result = self.run_certutil(args, capture_output=True)
-        cert = result.output
-        fd = open(location, "w+")
-        fd.write(cert)
-        fd.close()
-        os.chmod(location, 0o444)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 0ca9713..16139f8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -640,9 +640,6 @@ def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
 
         self.export_ca_cert(nickname, False)
 
-    def publish_ca_cert(self, location):
-        self.nssdb.publish_ca_cert(self.cacert_name, location)
-
     def export_pem_cert(self, nickname, location):
         return self.nssdb.export_pem_cert(nickname, location)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#685][opened] [4.5] Caless fix

Reply via email to