Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5595>.
Honza -- Jan Cholasta
From 0823cc7e740f993a63dd5a81fb1d6c59d557a542 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 21 Jan 2016 08:58:56 +0100 Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert renewal Import all external CA certs to the Dogtag NSS database on IPA CA cert renewal. This fixes Dogtag not being able to connect to DS which uses 3rd party server cert after ipa-certupdate. https://fedorahosted.org/freeipa/ticket/5595 --- install/restart_scripts/renew_ca_cert | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 5f86468..e990a3c 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,7 +28,6 @@ import shutil import traceback from ipapython import ipautil -from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -155,11 +154,9 @@ def _main(): "Updating CA certificate failed: %s" % e) # Add external CA certificates - ca_issuer = str(x509.get_issuer(cert, x509.DER)) try: - ca_certs = certstore.get_ca_certs( - conn, api.env.basedn, api.env.realm, False, - filter_subject=ca_issuer) + ca_certs = certstore.get_ca_certs_nss( + conn, api.env.basedn, api.env.realm, False) except Exception as e: syslog.syslog( syslog.LOG_ERR, @@ -167,19 +164,7 @@ def _main(): "%s" % e) ca_certs = [] - for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs: - ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER))) - nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject) - nick = nick_base - i = 1 - while db.has_nickname(nick): - nick = '%s [%s]' % (nick_base, i) - i += 1 - if ca_trusted is False: - flags = 'p,p,p' - else: - flags = 'CT,c,' - + for ca_cert, nick, flags in ca_certs: try: db.add_cert(ca_cert, nick, flags) except ipautil.CalledProcessError as e: -- 2.5.0
From caffb10f2d4a75d02fbacfd11be44e92e0649ea7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 21 Jan 2016 08:58:56 +0100 Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert renewal Import all external CA certs to the Dogtag NSS database on IPA CA cert renewal. This fixes Dogtag not being able to connect to DS which uses 3rd party server cert after ipa-certupdate. https://fedorahosted.org/freeipa/ticket/5595 --- install/restart_scripts/renew_ca_cert | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 86f5765..c3a5abd 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,7 +28,6 @@ import shutil import traceback from ipapython import dogtag, ipautil -from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -158,11 +157,9 @@ def _main(): "Updating CA certificate failed: %s" % e) # Add external CA certificates - ca_issuer = str(x509.get_issuer(cert, x509.DER)) try: - ca_certs = certstore.get_ca_certs( - conn, api.env.basedn, api.env.realm, False, - filter_subject=ca_issuer) + ca_certs = certstore.get_ca_certs_nss( + conn, api.env.basedn, api.env.realm, False) except Exception, e: syslog.syslog( syslog.LOG_ERR, @@ -170,19 +167,7 @@ def _main(): "%s" % e) ca_certs = [] - for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs: - ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER))) - nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject) - nick = nick_base - i = 1 - while db.has_nickname(nick): - nick = '%s [%s]' % (nick_base, i) - i += 1 - if ca_trusted is False: - flags = 'p,p,p' - else: - flags = 'CT,c,' - + for ca_cert, nick, flags in ca_certs: try: db.add_cert(ca_cert, nick, flags) except ipautil.CalledProcessError, e: -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
