On 22.1.2016 12:28, Jan Cholasta wrote:
On 22.1.2016 10:34, Martin Babinsky wrote:
On 01/21/2016 10:27 AM, Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5595>.
Honza
ACK
Self-NACK. Doesn't work with external CA install.
Updated patches attached.
--
Jan Cholasta
From e2419fe2190cf1da3b291882ba82b4ffde6ad46a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
renewal
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.
https://fedorahosted.org/freeipa/ticket/5595
---
install/restart_scripts/renew_ca_cert | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5f86468..bfb726c 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
import traceback
from ipapython import ipautil
-from ipapython.dn import DN
from ipalib import api, errors, x509, certstore
from ipaserver.install import certs, cainstance, installutils
from ipaserver.plugins.ldap2 import ldap2
@@ -155,11 +154,9 @@ def _main():
"Updating CA certificate failed: %s" % e)
# Add external CA certificates
- ca_issuer = str(x509.get_issuer(cert, x509.DER))
try:
- ca_certs = certstore.get_ca_certs(
- conn, api.env.basedn, api.env.realm, False,
- filter_subject=ca_issuer)
+ ca_certs = certstore.get_ca_certs_nss(
+ conn, api.env.basedn, api.env.realm, False)
except Exception as e:
syslog.syslog(
syslog.LOG_ERR,
@@ -167,25 +164,18 @@ def _main():
"%s" % e)
ca_certs = []
- for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
- ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
- nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
- nick = nick_base
- i = 1
- while db.has_nickname(nick):
- nick = '%s [%s]' % (nick_base, i)
- i += 1
- if ca_trusted is False:
- flags = 'p,p,p'
- else:
- flags = 'CT,c,'
-
+ for ca_cert, ca_nick, ca_flags in ca_certs:
try:
- db.add_cert(ca_cert, nick, flags)
+ db.add_cert(ca_cert, ca_nick, ca_flags)
except ipautil.CalledProcessError as e:
syslog.syslog(
syslog.LOG_ERR,
"Failed to add certificate %s" % ca_nick)
+
+ # Pass Dogtag's self-tests
+ for ca_nick in db.find_root_cert(nickname)[-2:-1]:
+ ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+ db.trust_root_cert(ca_nick, 'C' + ca_flags)
finally:
if conn is not None and conn.isconnected():
conn.disconnect()
--
2.5.0
From fef9b5d8b020178ac266acf274e72b95805420d3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
renewal
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.
https://fedorahosted.org/freeipa/ticket/5595
---
install/restart_scripts/renew_ca_cert | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 86f5765..92dc0e6 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
import traceback
from ipapython import dogtag, ipautil
-from ipapython.dn import DN
from ipalib import api, errors, x509, certstore
from ipaserver.install import certs, cainstance, installutils
from ipaserver.plugins.ldap2 import ldap2
@@ -158,11 +157,9 @@ def _main():
"Updating CA certificate failed: %s" % e)
# Add external CA certificates
- ca_issuer = str(x509.get_issuer(cert, x509.DER))
try:
- ca_certs = certstore.get_ca_certs(
- conn, api.env.basedn, api.env.realm, False,
- filter_subject=ca_issuer)
+ ca_certs = certstore.get_ca_certs_nss(
+ conn, api.env.basedn, api.env.realm, False)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
@@ -170,25 +167,18 @@ def _main():
"%s" % e)
ca_certs = []
- for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
- ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
- nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
- nick = nick_base
- i = 1
- while db.has_nickname(nick):
- nick = '%s [%s]' % (nick_base, i)
- i += 1
- if ca_trusted is False:
- flags = 'p,p,p'
- else:
- flags = 'CT,c,'
-
+ for ca_cert, ca_nick, ca_flags in ca_certs:
try:
- db.add_cert(ca_cert, nick, flags)
+ db.add_cert(ca_cert, ca_nick, ca_flags)
except ipautil.CalledProcessError, e:
syslog.syslog(
syslog.LOG_ERR,
"Failed to add certificate %s" % ca_nick)
+
+ # Pass Dogtag's self-tests
+ for ca_nick in db.find_root_cert(nickname)[-2:-1]:
+ ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+ db.trust_root_cert(ca_nick, 'C' + ca_flags)
finally:
if conn is not None and conn.isconnected():
conn.disconnect()
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
