URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: opened
PR body: """ Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721
From 1c7109c885457b20d7e1104c1e327537e9965b6f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 19 Apr 2017 11:42:40 +0200 Subject: [PATCH] Fix RA cert import during DL0 replication Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..faffd2e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -400,7 +400,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Importing RA key", self.__import_ra_key) else: self.step("importing RA certificate from PKCS #12 file", - lambda: self.import_ra_cert(ra_p12)) + lambda: self.import_ra_cert(ra_p12, + self.dm_password)) if not ra_only: self.step("setting up signing cert profile", self.__setup_sign_profile) @@ -676,20 +677,26 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') - def import_ra_cert(self, rafile): + def import_ra_cert(self, rafile, password=None): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. Used when setting up replication """ + pwdarg = 'pass:' + if password is not None: + pwdfile_fd, pwdfile_name = tempfile.mkstemp() + os.write(pwdfile_fd, password) + os.close(pwdfile_fd) + pwdarg = 'file:{file}'.format(file=pwdfile_name) # get the private key from the file ipautil.run([paths.OPENSSL, "pkcs12", "-in", rafile, "-nocerts", "-nodes", "-out", paths.RA_AGENT_KEY, - "-passin", "pass:"]) + "-passin", pwdarg]) # get the certificate from the pkcs12 file ipautil.run([paths.OPENSSL, @@ -697,7 +704,7 @@ def import_ra_cert(self, rafile): "-in", rafile, "-clcerts", "-nokeys", "-out", paths.RA_AGENT_PEM, - "-passin", "pass:"]) + "-passin", pwdarg]) self.__set_ra_cert_perms() self.configure_agent_renewal()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code