On 09/27/2013 10:14 AM, Martin Kosek wrote:
On 09/26/2013 04:46 PM, Jan Cholasta wrote:
On 26.9.2013 12:59, Tomas Babej wrote:
On 09/26/2013 12:54 PM, Jan Cholasta wrote:
On 24.9.2013 18:14, Nalin Dahyabhai wrote:
On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
We discussed this with Tomáš off-line and it turns out that
ipa-client-install fails if the CA cert is not added to
/etc/pki/nssdb.

However, according to p11-kit docs it should work:
<http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
wonder what needs to be done to make it work in IPA...

On my system, there's no symlink to libnssckbi.so (or the right location
in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that
database isn't going to automatically pull in the list of trusted CAs
that p11-kit maintains.

Whether the database under /etc/pki/nssdb should automatically include
the usual set of trust anchors is probably a different conversation.

Thanks for the info.

Tomáš, the patch is fine then. I have one more nitpick though: why did
you change "the default NSS database" to "the NSS database"? The
database in /etc/pki/nssdb *is* the default NSS database, so please
change it back. Also I think "systemwide CA trust database" is better
than "systemwide CA store".

Honza

I fixed the descriptions. Updated patch attached.

Tomas


Thanks.

There's one more thing: we should probably check if /usr/bin/update-ca-trust
exists before using it, for the sake of cross-distro compatibility.


Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage.

Martin

Updated patch attached, requires my patch 130.

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From cd0fb864ba45c93c81f4cef68dc470c1fcf05219 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide
 store

During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the
box.

https://fedorahosted.org/freeipa/ticket/3504
---
 ipa-client/ipa-install/ipa-client-install | 14 +++++++-
 ipapython/platform/fedora19/__init__.py   | 58 ++++++++++++++++++++++++++++++-
 ipapython/services.py.in                  | 13 ++++++-
 3 files changed, 82 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 1f66ae5d635d98ba45df13d92ca7982068d94752..9299db12015434379916ffa35d7ee7e830cf42ad 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -652,6 +652,9 @@ def uninstall(options, env):
         root_logger.warning('Please remove /etc/ipa/default.conf manually, '
                             'as it can cause subsequent installation to fail.')
 
+    # Remove the CA cert from the systemwide certificate store
+    ret = ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
     # Remove the CA cert
     try:
         os.remove(CACERT)
@@ -2312,12 +2315,21 @@ def install(options, env, fstore, statestore):
             return CLIENT_INSTALL_ERROR
         root_logger.info("Configured /etc/sssd/sssd.conf")
 
+    # Add the CA to the platform-dependant systemwide CA store
+    ret = ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+    root_logger.info('Returned value from systemwide: %s ' % ret)
+
     # Add the CA to the default NSS database and trust it
     try:
-        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+        root_logger.debug("Attempting to add CA directly to the "
+                          "default NSS database.")
+        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+             "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
     except CalledProcessError, e:
         root_logger.info("Failed to add CA to the default NSS database.")
         return CLIENT_INSTALL_ERROR
+    else:
+        root_logger.info('Added the CA to the default NSS database.')
 
     host_principal = 'host/%s@%s' % (hostname, cli_realm)
     if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..1bd2fcdc7af0e016ad58e2d935edd33cefc3a2f2 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import shutil
+import os
+
+from subprocess import CalledProcessError
+
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
+
 from ipapython.platform import fedora18, base
 
 # All what we allow exporting directly from this module
@@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base
 #                    applicable
 # check_selinux_status -- platform-specific way to see if SELinux is enabled
 #                         and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+#                                           CA certificate into the systemwide
+#                                           CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+#                                           CA certificate from the systemwide
+#                                           CA store
+
 
 __all__ = ['authconfig', 'service', 'knownservices',
     'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
-    'restore_network_configuration', 'timedate_services']
+    'restore_network_configuration', 'timedate_services',
+    'insert_ca_cert_into_systemwide_ca_store',
+    'remove_ca_cert_from_systemwide_ca_store']
 
 # Just copy a referential list of timedate services
 timedate_services = list(base.timedate_services)
@@ -53,3 +70,42 @@ service = fedora18.service
 knownservices = fedora18.knownservices
 restore_context = fedora18.restore_context
 check_selinux_status = fedora18.check_selinux_status
+
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+
+
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+    # Add the 'ipa-' prefix to cert name to avoid name collisions
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+    # Add the CA to the systemwide CA trust database
+    try:
+        shutil.copy(cacert_path, new_cacert_path)
+        run(['/usr/bin/update-ca-trust'])
+    except OSError, e:
+        root_logger.info("Failed to copy %s to %s" % (cacert_path,
+                                                      new_cacert_path))
+    except CalledProcessError, e:
+        root_logger.info("Failed to add CA to the systemwide "
+                         "CA trust database: %s" % str(e))
+    else:
+        root_logger.info('Added the CA to the systemwide CA trust database.')
+
+
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+    # Derive the certificate name in the store
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+    # Remove CA cert from systemwide store
+    if os.path.exists(new_cacert_path):
+        try:
+            os.remove(new_cacert_path)
+            run(['/usr/bin/update-ca-trust'])
+        except OSError, e:
+            root_logger.error('Could not remove: %s, %s'
+                               % (new_cacert_path, str(e)))
+        except CalledProcessError, e:
+            root_logger.error('Could not update systemwide CA trust '
+                              'database: %s' % str(e))
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..c979459591cfcb6de2094a73d2044bd75ea5b905 100644
--- a/ipapython/services.py.in
+++ b/ipapython/services.py.in
@@ -16,12 +16,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+from ipapython.ipa_log_manager import root_logger
+
 # authconfig is an entry point to platform-provided AuthConfig implementation
 # (instance of ipapython.platform.base.AuthConfig)
 authconfig = None
 
 # knownservices is an entry point to known platform services
-# (instance of ipapython.platform.base.KnownServices) 
+# (instance of ipapython.platform.base.KnownServices)
 knownservices = None
 
 # service is a class to instantiate ipapython.platform.base.PlatformService
@@ -55,4 +57,13 @@ from ipapython.platform.base import SVC_LIST_FILE
 def get_svc_list_file():
     return SVC_LIST_FILE
 
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+    return
+
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+    return
+
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
+
 from ipapython.platform.SUPPORTED_PLATFORM import *
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to