Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5592>.

Honza

--
Jan Cholasta
From 30e528a6254c72b52f89dbfa164c2b972939c58f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 22 Feb 2016 15:05:35 +0100
Subject: [PATCH] client: stop using /etc/pki/nssdb

Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.

https://fedorahosted.org/freeipa/ticket/5592
---
 client/ipa-client-install                | 30 ------------------------------
 client/man/ipa-client-install.1          |  2 --
 freeipa.spec.in                          | 11 ++---------
 ipaclient/ipa_certupdate.py              | 12 ------------
 ipapython/certdb.py                      | 29 +++++++++++++++++++++++++++++
 ipaserver/install/ipa_backup.py          |  3 +--
 ipaserver/install/ipa_restore.py         | 21 ++++-----------------
 ipatests/test_integration/test_caless.py | 17 -----------------
 8 files changed, 36 insertions(+), 89 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 072bf9d..1e61124 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -559,29 +559,12 @@ def uninstall(options, env):
             root_logger.error("%s failed to stop tracking certificate: %s",
                               cmonger.service_name, e)
 
-    # Remove our host cert and CA cert
-    try:
-        ipa_certs = ipa_db.list_certs()
-    except CalledProcessError as e:
-        root_logger.error(
-            "Failed to list certificates in %s: %s", ipa_db.secdir, e)
-        ipa_certs = []
-
     for filename in (os.path.join(ipa_db.secdir, 'cert8.db'),
                      os.path.join(ipa_db.secdir, 'key3.db'),
                      os.path.join(ipa_db.secdir, 'secmod.db'),
                      os.path.join(ipa_db.secdir, 'pwdfile.txt')):
         remove_file(filename)
 
-    for nickname, trust_flags in ipa_certs:
-        while sys_db.has_nickname(nickname):
-            try:
-                sys_db.delete_cert(nickname)
-            except Exception as e:
-                root_logger.error("Failed to remove %s from %s: %s",
-                                  nickname, sys_db.secdir, e)
-                break
-
     # Remove any special principal names we added to the IPA CA helper
     certmonger.remove_principal_from_cas()
 
@@ -2899,19 +2882,6 @@ def install(options, env, fstore, statestore):
     # Add the CA certificates to the platform-dependant systemwide CA store
     tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
 
-    # Add the CA certificates to the default NSS database
-    root_logger.debug(
-        "Attempting to add CA certificates to the default NSS database.")
-    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-    for cert, nickname, trust_flags in ca_certs_trust:
-        try:
-            sys_db.add_cert(cert, nickname, trust_flags)
-        except CalledProcessError as e:
-            root_logger.error(
-                "Failed to add %s to the default NSS database.", nickname)
-            return CLIENT_INSTALL_ERROR
-    root_logger.info("Added CA certificates to the default NSS database.")
-
     if not options.on_master:
         client_dns(cli_server[0], hostname, options)
         configure_certmonger(fstore, subject_base, cli_realm, hostname,
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 494fd49..92ea77a 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -266,8 +266,6 @@ Files updated, existing content is maintained:
 
 /etc/nsswitch.conf
 .br
-/etc/pki/nssdb
-.br
 /etc/krb5.keytab
 .br
 /etc/sysconfig/network
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 54a11bf..48fec97 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -937,15 +937,8 @@ if [ $1 -gt 1 ] ; then
         fi
     fi
 
-    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
-        tempfile=$(mktemp)
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        fi
-        rm -f "$tempfile"
+    if [ $restore -ge 2 ]; then
+        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
 fi
 
diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py
index 9d14f6a..b957219 100644
--- a/ipaclient/ipa_certupdate.py
+++ b/ipaclient/ipa_certupdate.py
@@ -95,17 +95,6 @@ class CertUpdate(admintool.AdminTool):
         self.update_file(paths.IPA_CA_CRT, certs)
 
         ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-        sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-
-        # Remove IPA certs from /etc/pki/nssdb
-        for nickname, trust_flags in ipa_db.list_certs():
-            while sys_db.has_nickname(nickname):
-                try:
-                    sys_db.delete_cert(nickname)
-                except ipautil.CalledProcessError as e:
-                    self.log.error("Failed to remove %s from %s: %s",
-                                   nickname, sys_db.secdir, e)
-                    break
 
         # Remove old IPA certs from /etc/ipa/nssdb
         for nickname in ('IPA CA', 'External CA cert'):
@@ -118,7 +107,6 @@ class CertUpdate(admintool.AdminTool):
                     break
 
         self.update_db(ipa_db.secdir, certs)
-        self.update_db(sys_db.secdir, certs)
 
         tasks.remove_ca_certs_from_systemwide_ca_store()
         tasks.insert_ca_certs_into_systemwide_ca_store(certs)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 1e6c63a..aea50a8 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -56,6 +56,35 @@ def create_ipa_nssdb():
     os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
 
 
+def update_ipa_nssdb():
+    ipa_db = NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = NSSDatabase(paths.NSS_DB_DIR)
+
+    if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
+        create_ipa_nssdb()
+
+    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+                                  ('External CA cert', 'C,,')):
+        try:
+            cert = sys_db.get_cert(nickname)
+        except RuntimeError:
+            continue
+        try:
+            ipa_db.add_cert(cert, nickname, trust_flags)
+        except ipautil.CalledProcessError as e:
+            raise RuntimeError("Failed to add %s to %s: %s" %
+                               (nickname, ipa_db.secdir, e))
+
+    # Remove IPA certs from /etc/pki/nssdb
+    for nickname, trust_flags in ipa_db.list_certs():
+        while sys_db.has_nickname(nickname):
+            try:
+                sys_db.delete_cert(nickname)
+            except ipautil.CalledProcessError as e:
+                raise RuntimeError("Failed to remove %s from %s: %s" %
+                                   (nickname, sys_db.secdir, e))
+
+
 def find_cert_from_txt(cert, start=0):
     """
     Given a cert blob (str) which may or may not contian leading and
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index d49576d..ae387ad 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -173,8 +173,7 @@ class Backup(admintool.AdminTool):
         paths.IPA_DNSKEYSYNCD_KEYTAB,
         paths.HOSTS,
     ) + tuple(
-        os.path.join(base, file)
-        for base in (paths.NSS_DB_DIR, paths.IPA_NSSDB_DIR)
+        os.path.join(paths.IPA_NSSDB_DIR, file)
         for file in ('cert8.db', 'key3.db', 'secmod.db')
     )
 
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 2c53f03..b6ac511 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -831,23 +831,10 @@ class Restore(admintool.AdminTool):
         tasks.remove_ca_certs_from_systemwide_ca_store()
 
     def cert_restore(self):
-        if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')):
-            certdb.create_ipa_nssdb()
-            ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-            sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-            for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
-                                          ('External CA cert', 'C,,')):
-                try:
-                    cert = sys_db.get_cert(nickname)
-                except RuntimeError:
-                    pass
-                else:
-                    try:
-                        ipa_db.add_cert(cert, nickname, trust_flags)
-                    except ipautil.CalledProcessError as e:
-                        self.log.error(
-                            "Failed to add %s to %s: %s" %
-                            (nickname, paths.IPA_NSSDB_DIR, e))
+        try:
+            certdb.update_ipa_nssdb()
+        except RuntimeError as e:
+            self.log.error("%s", e)
 
         tasks.reload_systemwide_ca_store()
 
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 4dda79b..fdc4fc8 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -112,12 +112,6 @@ class CALessBase(IntegrationTest):
         # Remove the NSS database
         shutil.rmtree(cls.cert_dir)
 
-        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
-        for host in cls.get_all_hosts():
-            cls.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                    '-n', 'External CA cert'],
-                                   raiseonerr=False)
-
         super(CALessBase, cls).uninstall(mh)
 
     @classmethod
@@ -343,12 +337,6 @@ class TestServerInstall(CALessBase):
     def tearDown(self):
         self.uninstall_server()
 
-        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
-        for host in self.get_all_hosts():
-            self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                     '-n', 'External CA cert'],
-                                    raiseonerr=False)
-
     def test_nonexistent_ca_pem_file(self):
         "IPA server install with non-existent CA PEM file "
 
@@ -769,12 +757,7 @@ class TestReplicaInstall(CALessBase):
         self.master.run_command(['ipa', 'host-del', replica.hostname],
                                 raiseonerr=False)
 
-        replica.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                             '-n', 'External CA cert'], raiseonerr=False)
-
         self.uninstall_server()
-        self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                 '-n', 'External CA cert'], raiseonerr=False)
 
     def test_no_certs(self):
         "IPA replica install without certificates"
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to