On 11/15/2013 03:36 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 11/15/2013 02:46 PM, Ana Krivokapic wrote:
On 11/13/2013 02:57 PM, Tomas Babej wrote:
On 09/27/2013 10:14 AM, Martin Kosek wrote:
On 09/26/2013 04:46 PM, Jan Cholasta wrote:
On 26.9.2013 12:59, Tomas Babej wrote:
On 09/26/2013 12:54 PM, Jan Cholasta wrote:
On 24.9.2013 18:14, Nalin Dahyabhai wrote:
On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
We discussed this with Tomáš off-line and it turns out that
ipa-client-install fails if the CA cert is not added to

However, according to p11-kit docs it should work:
<http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
wonder what needs to be done to make it work in IPA...

On my system, there's no symlink to libnssckbi.so (or the right
in the link farm under /etc/alternatives) in /etc/pki/nssdb, so
database isn't going to automatically pull in the list of
trusted CAs
that p11-kit maintains.

Whether the database under /etc/pki/nssdb should automatically
the usual set of trust anchors is probably a different

Thanks for the info.

Tomáš, the patch is fine then. I have one more nitpick though:
why did
you change "the default NSS database" to "the NSS database"? The
database in /etc/pki/nssdb *is* the default NSS database, so please
change it back. Also I think "systemwide CA trust database" is
than "systemwide CA store".


I fixed the descriptions. Updated patch attached.



There's one more thing: we should probably check if
exists before using it, for the sake of cross-distro compatibility.

Right. I am also thinking if this functionality should not be
somehow integrated into the platform files so that it can be
overriden in platforms that do not have the systemwide storage.


Updated patch attached, requires my patch 130.

Freeipa-devel mailing list

The patch works fine; a couple of nitpicks:

1) The import of root_logger in services.py.in is unused.

2) In ipa-client-install, you log the return values of functions
insert_ca_cert_into_systemwide_ca_store() and
remove_ca_cert_from_systemwide_ca_store(). But these functions do not
return any values, so you will always be logging `None`.

Thanks for the review,

I removed the code (it was meant for debugging purposes only).

Updated patch attached.

Adding the CA to the NSS cert database is considered a fatal error. Should adding it to the global trust database be fatal as well?

I don't know the answer, but if we want to do this at some point should these functions return True/False to denote success/failure?


I don't think it should be considered fatal, at least not now.

I updated the patch to return the success/failure status, even though, this could be done when it will be required. But doesn't hurt anything either, at least other platform files will develop systemwide CA store functions with this approach in mind.

Updated patch attached.

Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From cf08fabea67b4594a2a97154ef6568a6db4e1f0a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide

During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the

 ipa-client/ipa-install/ipa-client-install | 13 +++++-
 ipapython/platform/fedora19/__init__.py   | 67 ++++++++++++++++++++++++++++++-
 ipapython/services.py.in                  | 11 ++++-
 3 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7095e922663af73edae5a537a923888794b74879..e79cb48b04e7bdf23f6fd757e022e57dbb544640 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -673,6 +673,9 @@ def uninstall(options, env):
         root_logger.warning('Please remove /etc/ipa/default.conf manually, '
                             'as it can cause subsequent installation to fail.')
+    # Remove the CA cert from the systemwide certificate store
+    ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
     # Remove the CA cert
@@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore):
             return CLIENT_INSTALL_ERROR
         root_logger.info("Configured /etc/sssd/sssd.conf")
+    # Add the CA to the platform-dependant systemwide CA store
+    ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
     # Add the CA to the default NSS database and trust it
-        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+        root_logger.debug("Attempting to add CA directly to the "
+                          "default NSS database.")
+        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+             "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
     except CalledProcessError, e:
         root_logger.info("Failed to add CA to the default NSS database.")
         return CLIENT_INSTALL_ERROR
+    else:
+        root_logger.info('Added the CA to the default NSS database.')
     host_principal = 'host/%s@%s' % (hostname, cli_realm)
     if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import shutil
+import os
+from subprocess import CalledProcessError
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
 from ipapython.platform import fedora18, base
 # All what we allow exporting directly from this module
@@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base
 #                    applicable
 # check_selinux_status -- platform-specific way to see if SELinux is enabled
 #                         and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+#                                           CA certificate into the systemwide
+#                                           CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+#                                           CA certificate from the systemwide
+#                                           CA store
 __all__ = ['authconfig', 'service', 'knownservices',
     'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
-    'restore_network_configuration', 'timedate_services']
+    'restore_network_configuration', 'timedate_services',
+    'insert_ca_cert_into_systemwide_ca_store',
+    'remove_ca_cert_from_systemwide_ca_store']
 # Just copy a referential list of timedate services
 timedate_services = list(base.timedate_services)
@@ -53,3 +70,51 @@ service = fedora18.service
 knownservices = fedora18.knownservices
 restore_context = fedora18.restore_context
 check_selinux_status = fedora18.check_selinux_status
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+    # Add the 'ipa-' prefix to cert name to avoid name collisions
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+    # Add the CA to the systemwide CA trust database
+    try:
+        shutil.copy(cacert_path, new_cacert_path)
+        run(['/usr/bin/update-ca-trust'])
+    except OSError, e:
+        root_logger.info("Failed to copy %s to %s" % (cacert_path,
+                                                      new_cacert_path))
+    except CalledProcessError, e:
+        root_logger.info("Failed to add CA to the systemwide "
+                         "CA trust database: %s" % str(e))
+    else:
+        root_logger.info('Added the CA to the systemwide CA trust database.')
+        return True
+    return False
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+    # Derive the certificate name in the store
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+    # Remove CA cert from systemwide store
+    if os.path.exists(new_cacert_path):
+        try:
+            os.remove(new_cacert_path)
+            run(['/usr/bin/update-ca-trust'])
+        except OSError, e:
+            root_logger.error('Could not remove: %s, %s'
+                               % (new_cacert_path, str(e)))
+            return False
+        except CalledProcessError, e:
+            root_logger.error('Could not update systemwide CA trust '
+                              'database: %s' % str(e))
+            return False
+        else:
+            root_logger.info('Systemwide CA database updated.')
+    return True
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
--- a/ipapython/services.py.in
+++ b/ipapython/services.py.in
@@ -21,7 +21,7 @@
 authconfig = None
 # knownservices is an entry point to known platform services
-# (instance of ipapython.platform.base.KnownServices) 
+# (instance of ipapython.platform.base.KnownServices)
 knownservices = None
 # service is a class to instantiate ipapython.platform.base.PlatformService
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
 def get_svc_list_file():
     return SVC_LIST_FILE
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+    return True
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+    return True
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
 from ipapython.platform.SUPPORTED_PLATFORM import *

Freeipa-devel mailing list

Reply via email to