flo-renaud's pull request #69: "Fix ipa-replica-install with RHEL 6.8 master" 
was opened

PR body:
"""
ipa-replica-prepare creates a gpg file containing realm_info/cacert.p12 with
the certificates.
When run on a RHEL 6.8 instance, cacert.p12 contains twice the same cert
(for caSigningCert cert-pki-ca), once with the nickname and once without.

ipa-replica-install passes this file to pkispawn and makes pkispawn fail.
The fix exports the pkcs12 file into a temp nsddb then re-creates a pkcs12
file from the nssdb (this process removes the duplicate cert).

https://fedorahosted.org/freeipa/ticket/6310
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/69
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/69/head:pr69
git checkout pr69
From 5f77e9ba884af304d2e9158ea8f28e9daaafb136 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 8 Sep 2016 14:00:43 +0200
Subject: [PATCH] Fix ipa-replica-install with RHEL 6.8 master

ipa-replica-prepare creates a gpg file containing realm_info/cacert.p12 with
the certificates.
When run on a RHEL 6.8 instance, cacert.p12 contains twice the same cert
(for caSigningCert cert-pki-ca), once with the nickname and once without.

ipa-replica-install passes this file to pkispawn and makes pkispawn fail.
The fix exports the pkcs12 file into a temp nsddb then re-creates a pkcs12
file from the nssdb (this process removes the duplicate cert).

https://fedorahosted.org/freeipa/ticket/6310
---
 ipaserver/install/cainstance.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ab006be..df9dabc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -53,6 +53,7 @@
 from ipaplatform.tasks import tasks
 
 from ipapython import dogtag
+from ipapython import certdb
 from ipapython import certmonger
 from ipapython import ipautil
 from ipapython import ipaldap
@@ -522,7 +523,21 @@ def __spawn_instance(self):
                 config.set("CA", "pki_clone_reindex_data", "True")
 
             cafile = self.pkcs12_info[0]
-            shutil.copy(cafile, paths.TMP_CA_P12)
+            # When the cafile was generated on older releases,
+            # it may contain a duplicate cert which causes issues
+            # with pkispawn
+            # import into nssdb and export fixes the issue
+            with certdb.NSSDatabase() as nssdb:
+                db_password = ipautil.ipa_generate_password()
+                db_pwdfile = ipautil.write_tmp_file(db_password)
+                nssdb.create_db(db_pwdfile.name)
+                nssdb.import_pkcs12(cafile, db_pwdfile.name, self.dm_password)
+                pwfile = ipautil.write_tmp_file(self.dm_password)
+                ipautil.run([paths.PKCS12EXPORT,
+                             '-d', nssdb.secdir,
+                             '-p', db_pwdfile.name,
+                             '-w', pwfile.name,
+                             '-o', paths.TMP_CA_P12])
             pent = pwd.getpwnam(constants.PKI_USER)
             os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to