URL: https://github.com/freeipa/freeipa/pull/580
Author: stlaz
 Title: #580: Fix KDC certificates export on DL0
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/580/head:pr580
git checkout pr580
From 280af15a914aa7ec4faf83eb6016e917442d6500 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Tue, 14 Mar 2017 09:17:51 +0100
Subject: [PATCH] Fix KDC certificates export on DL0

https://pagure.io/freeipa/issue/6759
---
 ipaserver/install/certs.py               | 16 +++++++++++-----
 ipaserver/install/ipa_replica_prepare.py | 20 ++++++--------------
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..4bcc009 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -75,11 +75,17 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname):
                  "-passin", "file:" + pwd.name])
 
 
-def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):
-    ipautil.run([paths.OPENSSL, "pkcs12",
-                 "-export", "-name", nickname,
-                 "-in", pem_fname, "-out", pkcs12_fname,
-                 "-passout", "file:" + pkcs12_pwd_fname])
+def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname,
+                   key_fname=None):
+    args = [
+        paths.OPENSSL, "pkcs12",
+        "-export", "-name", nickname,
+        "-in", pem_fname, "-out", pkcs12_fname,
+        "-passout", "file:" + pkcs12_pwd_fname
+    ]
+    if key_fname is not None:
+        args.extend(['-inkey', key_fname])
+    ipautil.run(args)
 
 
 class CertDB(object):
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..044c993 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -447,7 +447,10 @@ def copy_pkinit_certificate(self):
             self.copy_info_file(self.pkinit_pkcs12_file.name, "pkinitcert.p12")
         else:
             self.log.info("Creating SSL certificate for the KDC")
-            self.export_certdb("pkinitcert", passwd_fname, is_kdc=True)
+            pkcs12_fname = os.path.join(self.dir, "pkinitcert.p12")
+            certs.export_pem_p12(
+                pkcs12_fname, passwd_fname, "KDC-Cert",
+                pem_fname=paths.KDC_CERT, key_fname=paths.KDC_KEY)
 
     def copy_misc_files(self):
         self.log.info("Copying additional files")
@@ -596,11 +599,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
         hostname = self.replica_fqdn
         subject_base = self.subject_base
 
-        if is_kdc:
-            nickname = "KDC-Cert"
-        else:
-            nickname = "Server-Cert"
-
+        nickname = "Server-Cert"
         try:
             db = certs.CertDB(
                 api.env.realm, nssdir=self.dir, subject_base=subject_base)
@@ -611,11 +610,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
             pkcs12_fname = os.path.join(self.dir, fname + ".p12")
 
             try:
-                if is_kdc:
-                    certs.export_pem_p12(pkcs12_fname, passwd_fname,
-                        nickname, os.path.join(self.dir, "kdc.pem"))
-                else:
-                    db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
+                db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
             except ipautil.CalledProcessError as e:
                 self.log.info("error exporting Server certificate: %s", e)
                 installutils.remove_file(pkcs12_fname)
@@ -626,9 +621,6 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
             self.remove_info_file("secmod.db")
             self.remove_info_file("noise.txt")
 
-            if is_kdc:
-                self.remove_info_file("kdc.pem")
-
             orig_filename = passwd_fname + ".orig"
             if ipautil.file_exists(orig_filename):
                 installutils.remove_file(orig_filename)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to