Hi,
the attached patches fix some of the issues I have found while working
on test plan for CA-less install (see
<http://www.freeipa.org/index.php/V3/CA-less_install> for more
information on that).
https://fedorahosted.org/freeipa/ticket/3665
https://fedorahosted.org/freeipa/ticket/3667
https://fedorahosted.org/freeipa/ticket/3673
https://fedorahosted.org/freeipa/ticket/3674
https://fedorahosted.org/freeipa/ticket/3675
Honza
--
Jan Cholasta
>From 75ffce804845cba828e4e95d1bc3540459299ddf Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 5 Jun 2013 14:47:31 +0200
Subject: [PATCH 1/6] Use the correct PKCS#12 file for HTTP server.
https://fedorahosted.org/freeipa/ticket/3665
---
install/tools/ipa-server-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 992da90..098e639 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -707,7 +707,7 @@ def main():
if options.http_pkcs12:
http_pin_file = ipautil.write_tmp_file(options.http_pin)
- http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name)
+ http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
if options.dirsrv_pkcs12:
dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
--
1.8.3
>From 0791d5a1734c47e9505157b49f4628be3bd8c56c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 5 Jun 2013 14:47:58 +0200
Subject: [PATCH 2/6] Remove stray error condition in ipa-server-install.
---
install/tools/ipa-server-install | 3 ---
1 file changed, 3 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 098e639..ccf24e6 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -286,9 +286,6 @@ def parse_options():
if options.dirsrv_pkcs12 and not options.root_ca_file:
parser.error(
"--root-ca-file must be given with the PKCS#12 options.")
- if options.dirsrv_pkcs12 and not options.root_ca_file:
- parser.error(
- "The PKCS#12 options must be given with --root-ca-file.")
if (options.external_cert_file or options.external_ca_file) and options.dirsrv_pkcs12:
parser.error(
--
1.8.3
>From 71275ffdf6997525cbe07a725ab26a5b3ce779c1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 3 Jun 2013 09:14:21 +0200
Subject: [PATCH 3/6] Handle exceptions gracefully when verifying PKCS#12
files.
https://fedorahosted.org/freeipa/ticket/3667
---
ipaserver/install/certs.py | 8 +++++++-
ipaserver/install/installutils.py | 5 ++++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index b170c7c..643cbda 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -29,6 +29,7 @@ import base64
from hashlib import sha1
from nss import nss
+from nss.error import NSPRError
from ipapython.ipa_log_manager import root_logger
from ipapython import dogtag
@@ -286,7 +287,12 @@ class NSSDatabase(object):
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
- approved_usage = cert.verify_now(certdb, True, intended_usage)
+ try:
+ approved_usage = cert.verify_now(certdb, True, intended_usage)
+ except NSPRError, e:
+ if e.errno != -8102:
+ raise ValueError(e.strerror)
+ approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index bc28dec..9d7aca2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -721,7 +721,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
# Import the CA cert first so it has a known nickname
# (if it's present in the PKCS#12 it won't be overwritten)
ca_cert_name = 'The Root CA'
- nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+ try:
+ nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+ except ValueError, e:
+ raise ScriptError(str(e))
# Import everything in the PKCS#12
nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename)
--
1.8.3
>From 0e07e00106b895236e63af5c16c324f3c3605d17 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 5 Jun 2013 14:50:38 +0200
Subject: [PATCH 4/6] Skip empty lines when parsing pk12util output.
---
ipaserver/install/certs.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 643cbda..06925d5 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -224,7 +224,7 @@ class NSSDatabase(object):
state = 1
if line == "Certificate:":
state = 2
- elif not line.startswith(' '):
+ elif line and not line.startswith(' '):
# Top-level item that is not a certificate
state = 1
--
1.8.3
>From e320c23bc90d7da51e24495aacdb5eb567c1c86e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 3 Jun 2013 10:20:52 +0200
Subject: [PATCH 5/6] Do not allow installing CA replicas in CA-less setup.
https://fedorahosted.org/freeipa/ticket/3673
https://fedorahosted.org/freeipa/ticket/3674
---
install/tools/ipa-ca-install | 4 ++++
install/tools/ipa-replica-install | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 2046b5f..67e8097 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -160,6 +160,10 @@ def main():
config.dir = dir
config.setup_ca = True
+ if ipautil.file_exists(config.dir + "/dscert.p12"):
+ print 'CA cannot be installed in CA-less setup.'
+ sys.exit(1)
+
portfile = config.dir + "/dogtag_directory_port.txt"
if not ipautil.file_exists(portfile):
dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 2c28f37..5ba7454 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -512,6 +512,10 @@ def main():
config.dir = dir
config.setup_ca = options.setup_ca
+ if config.setup_ca and ipautil.file_exists(config.dir + "/dscert.p12"):
+ print 'CA cannot be installed in CA-less setup.'
+ sys.exit(1)
+
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
portfile = config.dir + "/dogtag_directory_port.txt"
--
1.8.3
>From cb0d8674f69edec1449c392474338f83eecc9c69 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 3 Jun 2013 10:25:19 +0200
Subject: [PATCH 6/6] Do not track DS certificate in CA-less setup.
https://fedorahosted.org/freeipa/ticket/3675
---
ipaserver/install/dsinstance.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 046480f..d6c1c6a 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -562,8 +562,6 @@ class DsInstance(service.Service):
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
- dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname,
- 'restart_dirsrv %s' % self.serverid)
else:
nickname = self.nickname
cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
--
1.8.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel