On 11/15/2013 02:46 PM, Ana Krivokapic wrote:
On 11/13/2013 02:57 PM, Tomas Babej wrote:
On 09/27/2013 10:14 AM, Martin Kosek wrote:
On 09/26/2013 04:46 PM, Jan Cholasta wrote:
On 26.9.2013 12:59, Tomas Babej wrote:
On 09/26/2013 12:54 PM, Jan Cholasta wrote:
On 24.9.2013 18:14, Nalin Dahyabhai wrote:
On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
We discussed this with Tomás( off-line and it turns out that
ipa-client-install fails if the CA cert is not added to

However, according to p11-kit docs it should work:
<http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
wonder what needs to be done to make it work in IPA...

On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs
that p11-kit maintains.

Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation.

Thanks for the info.

Tomás(, the patch is fine then. I have one more nitpick though: why did
you change "the default NSS database" to "the NSS database"? The
database in /etc/pki/nssdb *is* the default NSS database, so please
change it back. Also I think "systemwide CA trust database" is better
than "systemwide CA store".


I fixed the descriptions. Updated patch attached.



There's one more thing: we should probably check if /usr/bin/update-ca-trust
exists before using it, for the sake of cross-distro compatibility.

Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage.


Updated patch attached, requires my patch 130.

Freeipa-devel mailing list

The patch works fine; a couple of nitpicks:

1) The import of root_logger in services.py.in is unused.

2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`.

Thanks for the review,

I removed the code (it was meant for debugging purposes only).

Updated patch attached.


Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

Freeipa-devel mailing list

Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From 65fe7943ffda6c7c57b697d7e59cba8857f42e9c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide

During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the

 ipa-client/ipa-install/ipa-client-install | 13 ++++++-
 ipapython/platform/fedora19/__init__.py   | 58 ++++++++++++++++++++++++++++++-
 ipapython/services.py.in                  | 11 +++++-
 3 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7095e922663af73edae5a537a923888794b74879..e79cb48b04e7bdf23f6fd757e022e57dbb544640 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -673,6 +673,9 @@ def uninstall(options, env):
         root_logger.warning('Please remove /etc/ipa/default.conf manually, '
                             'as it can cause subsequent installation to fail.')
+    # Remove the CA cert from the systemwide certificate store
+    ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
     # Remove the CA cert
@@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore):
             return CLIENT_INSTALL_ERROR
         root_logger.info("Configured /etc/sssd/sssd.conf")
+    # Add the CA to the platform-dependant systemwide CA store
+    ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
     # Add the CA to the default NSS database and trust it
-        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+        root_logger.debug("Attempting to add CA directly to the "
+                          "default NSS database.")
+        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+             "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
     except CalledProcessError, e:
         root_logger.info("Failed to add CA to the default NSS database.")
         return CLIENT_INSTALL_ERROR
+    else:
+        root_logger.info('Added the CA to the default NSS database.')
     host_principal = 'host/%s@%s' % (hostname, cli_realm)
     if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..1bd2fcdc7af0e016ad58e2d935edd33cefc3a2f2 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import shutil
+import os
+from subprocess import CalledProcessError
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
 from ipapython.platform import fedora18, base
 # All what we allow exporting directly from this module
@@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base
 #                    applicable
 # check_selinux_status -- platform-specific way to see if SELinux is enabled
 #                         and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+#                                           CA certificate into the systemwide
+#                                           CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+#                                           CA certificate from the systemwide
+#                                           CA store
 __all__ = ['authconfig', 'service', 'knownservices',
     'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
-    'restore_network_configuration', 'timedate_services']
+    'restore_network_configuration', 'timedate_services',
+    'insert_ca_cert_into_systemwide_ca_store',
+    'remove_ca_cert_from_systemwide_ca_store']
 # Just copy a referential list of timedate services
 timedate_services = list(base.timedate_services)
@@ -53,3 +70,42 @@ service = fedora18.service
 knownservices = fedora18.knownservices
 restore_context = fedora18.restore_context
 check_selinux_status = fedora18.check_selinux_status
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+    # Add the 'ipa-' prefix to cert name to avoid name collisions
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+    # Add the CA to the systemwide CA trust database
+    try:
+        shutil.copy(cacert_path, new_cacert_path)
+        run(['/usr/bin/update-ca-trust'])
+    except OSError, e:
+        root_logger.info("Failed to copy %s to %s" % (cacert_path,
+                                                      new_cacert_path))
+    except CalledProcessError, e:
+        root_logger.info("Failed to add CA to the systemwide "
+                         "CA trust database: %s" % str(e))
+    else:
+        root_logger.info('Added the CA to the systemwide CA trust database.')
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+    # Derive the certificate name in the store
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+    # Remove CA cert from systemwide store
+    if os.path.exists(new_cacert_path):
+        try:
+            os.remove(new_cacert_path)
+            run(['/usr/bin/update-ca-trust'])
+        except OSError, e:
+            root_logger.error('Could not remove: %s, %s'
+                               % (new_cacert_path, str(e)))
+        except CalledProcessError, e:
+            root_logger.error('Could not update systemwide CA trust '
+                              'database: %s' % str(e))
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..0c10ffb38b6904c987e66809c0a7c3b52b578d9e 100644
--- a/ipapython/services.py.in
+++ b/ipapython/services.py.in
@@ -21,7 +21,7 @@
 authconfig = None
 # knownservices is an entry point to known platform services
-# (instance of ipapython.platform.base.KnownServices) 
+# (instance of ipapython.platform.base.KnownServices)
 knownservices = None
 # service is a class to instantiate ipapython.platform.base.PlatformService
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
 def get_svc_list_file():
     return SVC_LIST_FILE
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+    return
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+    return
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
 from ipapython.platform.SUPPORTED_PLATFORM import *

Freeipa-devel mailing list

Reply via email to