On 11.7.2013 14:10, Jan Cholasta wrote:
Hi,

this is the first batch of patches for
<https://fedorahosted.org/freeipa/ticket/3641>. It contains port of
ipa-server-certinstall to the admintool framework and fixes some bugs.

Note that there's still some work I have to do to make
ipa-server-certinstall work properly for installs with CA, currently it
works reliably only on CA-less installs.

This patchset also does not make it possible to change the CA
certificate (as requested in the ticket). We discussed this with Rob and
agreed that it should instead be done as part of
<https://fedorahosted.org/freeipa/ticket/3737>. Unless there are any
objections, that's what is going to happen.

Added patches (157 and 158) to support installs with CA.

Honza

--
Jan Cholasta
>From ce481fa8d10a90612e1a7bfd75e69a3a240ba0c2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 15 Jul 2013 08:12:14 +0000
Subject: [PATCH 1/2] Replace only the cert instead of the whole NSS DB in
 ipa-server-certinstall.

https://fedorahosted.org/freeipa/ticket/3641
---
 ipaserver/install/certs.py                  |  4 ++++
 ipaserver/install/ipa_server_certinstall.py | 31 +++++++++++++++--------------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 531ea76..681892b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -708,6 +708,10 @@ class CertDB(object):
                 "-f", self.passwd_fname]
         self.run_certutil(args)
 
+    def delete_cert(self, nickname):
+        args = ["-D", "-n", nickname]
+        self.run_certutil(args)
+
     def create_pin_file(self):
         """
         This is the format of Directory Server pin files.
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index c2cd4df..e467609 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -101,18 +101,20 @@ class ServerCertInstall(admintool.AdminTool):
     def install_dirsrv_cert(self):
         serverid = dsinstance.realm_to_serverid(api.env.realm)
         dirname = dsinstance.config_dirname(serverid)
-        pwdfile = os.path.join(dirname, 'pwdfile.txt')
-
-        server_cert = self.import_cert(dirname, self.options.dirsrv_pin,
-                                       pwdfile)
 
         conn = ldap2(shared_instance=False, base_dn='')
         conn.connect(bind_dn=DN(('cn', 'directory manager')),
                      bind_pw=self.dm_password)
 
-        entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
-                                   ('cn', 'config')),
-                                nssslpersonalityssl=[server_cert])
+        entry = conn.get_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
+                                  ('cn', 'config')),
+                               ['nssslpersonalityssl'])
+        old_cert = entry.single_value('nssslpersonalityssl')
+
+        server_cert = self.import_cert(dirname, self.options.dirsrv_pin,
+                                       old_cert)
+
+        entry['nssslpersonalityssl'] = [server_cert]
         try:
             conn.update_entry(entry)
         except errors.EmptyModlist:
@@ -122,10 +124,12 @@ class ServerCertInstall(admintool.AdminTool):
 
     def install_http_cert(self):
         dirname = certs.NSS_DIR
-        pwdfile = os.path.join(dirname, 'pwdfile.txt')
+
+        old_cert = installutils.get_directive(httpinstance.NSS_CONF,
+                                              'NSSNickname')
 
         server_cert = self.import_cert(dirname, self.options.http_pin,
-                                       pwdfile)
+                                       old_cert)
 
         installutils.set_directive(httpinstance.NSS_CONF,
                                    'NSSNickname', server_cert)
@@ -140,20 +144,17 @@ class ServerCertInstall(admintool.AdminTool):
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
 
-    def import_cert(self, dirname, pkcs12_passwd, db_pwdfile):
+    def import_cert(self, dirname, pkcs12_passwd, old_cert):
         pw = write_tmp_file(pkcs12_passwd)
         server_cert = installutils.check_pkcs12(
             pkcs12_info=(self.pkcs12_fname, pw.name),
             ca_file=CACERT,
             hostname=api.env.host)
 
-        with open(db_pwdfile) as fd:
-            db_password = fd.read()
-
         cdb = certs.CertDB(api.env.realm, nssdir=dirname)
         try:
-            cdb.create_from_pkcs12(self.pkcs12_fname, pw.name,
-                                   db_password, CACERT)
+            cdb.delete_cert(old_cert)
+            cdb.import_pkcs12(self.pkcs12_fname, pw.name)
         except RuntimeError, e:
             raise admintool.ScriptError(str(e))
 
-- 
1.8.3.1

>From 4250f0d1a8ba606d158ec5298391edbcca27855e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 15 Jul 2013 08:12:50 +0000
Subject: [PATCH 2/2] Untrack old and track new cert with certmonger in
 ipa-server-certinstall.

https://fedorahosted.org/freeipa/ticket/3641
---
 ipaserver/install/ipa_server_certinstall.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index e467609..4960fda 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -112,7 +112,8 @@ class ServerCertInstall(admintool.AdminTool):
         old_cert = entry.single_value('nssslpersonalityssl')
 
         server_cert = self.import_cert(dirname, self.options.dirsrv_pin,
-                                       old_cert)
+                                       old_cert, 'ldap/%s' % api.env.host,
+                                       'restart_dirsrv %s' % serverid)
 
         entry['nssslpersonalityssl'] = [server_cert]
         try:
@@ -129,7 +130,8 @@ class ServerCertInstall(admintool.AdminTool):
                                               'NSSNickname')
 
         server_cert = self.import_cert(dirname, self.options.http_pin,
-                                       old_cert)
+                                       old_cert, 'HTTP/%s' % api.env.host,
+                                       'restart_httpd')
 
         installutils.set_directive(httpinstance.NSS_CONF,
                                    'NSSNickname', server_cert)
@@ -144,7 +146,7 @@ class ServerCertInstall(admintool.AdminTool):
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
 
-    def import_cert(self, dirname, pkcs12_passwd, old_cert):
+    def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
         pw = write_tmp_file(pkcs12_passwd)
         server_cert = installutils.check_pkcs12(
             pkcs12_info=(self.pkcs12_fname, pw.name),
@@ -153,8 +155,15 @@ class ServerCertInstall(admintool.AdminTool):
 
         cdb = certs.CertDB(api.env.realm, nssdir=dirname)
         try:
+            if api.env.enable_ra:
+                cdb.untrack_server_cert(old_cert)
+
             cdb.delete_cert(old_cert)
             cdb.import_pkcs12(self.pkcs12_fname, pw.name)
+
+            if api.env.enable_ra:
+                cdb.track_server_cert(server_cert, principal, cdb.passwd_fname,
+                                      command)
         except RuntimeError, e:
             raise admintool.ScriptError(str(e))
 
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to