[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/13] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, ni
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/14] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, ni
[Freeipa-devel] [freeipa PR#769][comment] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769 Title: #769: test_caless: add pkinit option and test it HonzaCholasta commented: """ @stlaz & @Rezney, kind permission given. """ See the full comment at https://github.com/freeipa/freeipa/pull/769#issuecomment-30231 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ No problem, thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303311812 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][-ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ I have already "solved" this by changing the permissions of the cert file in the `renew_kdc_cert`. Your solution is definitely better, please remove the chmod call from `renew_kdc_cert`. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303295791 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#625][closed] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Author: HonzaCholasta Title: #625: [RFC] remote plugins: add option to force compat plugins Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/625/head:pr625 git checkout pr625 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#863][closed] [ipa-4-5] Add CommonNameToSANDefault to default cert profile
URL: https://github.com/freeipa/freeipa/pull/863 Author: frasertweedale Title: #863: [ipa-4-5] Add CommonNameToSANDefault to default cert profile Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/863/head:pr863 git checkout pr863 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#859][closed] Add CommonNameToSANDefault to default cert profile
URL: https://github.com/freeipa/freeipa/pull/859 Author: frasertweedale Title: #859: Add CommonNameToSANDefault to default cert profile Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/859/head:pr859 git checkout pr859 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#771][closed] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][synchronized] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Author: HonzaCholasta Title: #801: httpinstance: wait until the service entry is replicated Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/801/head:pr801 git checkout pr801 From 780559ef4dab3a5b1ff6e774bdb405c16af06a39 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 22 May 2017 08:15:14 + Subject: [PATCH] httpinstance: wait until the service entry is replicated Wait until the local HTTP service entry is replicated to the remote master before requesting the server certificate. This prevents a replication conflict between the service entry added locally and service entry added remotely when requesting the certificate. https://pagure.io/freeipa/issue/6867 --- ipaserver/install/httpinstance.py | 29 +++-- ipaserver/install/server/install.py| 4 ++-- ipaserver/install/server/replicainstall.py | 5 +++-- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 608652033e..555c82213c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -32,9 +32,11 @@ from augeas import Augeas from ipalib.install import certmonger +from ipapython import ipaldap from ipapython.certdb import (IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS) +from ipaserver.install import replication from ipaserver.install import service from ipaserver.install import certs from ipaserver.install import installutils @@ -120,12 +122,15 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert', subject_base = ipautil.dn_attribute_property('_subject_base') -def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, +def create_instance(self, realm, fqdn, domain_name, dm_password=None, +pkcs12_info=None, subject_base=None, auto_redirect=True, ca_file=None, -ca_is_configured=None, promote=False): +ca_is_configured=None, promote=False, +master_fqdn=None): self.fqdn = fqdn self.realm = realm self.domain = domain_name +self.dm_password = dm_password self.suffix = ipautil.realm_to_suffix(self.realm) self.pkcs12_info = pkcs12_info self.dercert = None @@ -141,6 +146,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, if ca_is_configured is not None: self.ca_is_configured = ca_is_configured self.promote = promote +self.master_fqdn = master_fqdn self.step("stopping httpd", self.__stop) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) @@ -570,3 +576,22 @@ def start_tracking_certificates(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR) db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') + +def request_service_keytab(self): +super(HTTPInstance, self).request_service_keytab() + +if self.master_fqdn is not None: +service_dn = DN(('krbprincipalname', self.principal), +api.env.container_service, +self.suffix) + +ldap_uri = ipaldap.get_ldap_uri(self.master_fqdn) +with ipaldap.LDAPClient(ldap_uri, +start_tls=not self.promote, +cacert=paths.IPA_CA_CRT) as remote_ldap: +if self.promote: +remote_ldap.gssapi_bind() +else: +remote_ldap.simple_bind(ipaldap.DIRMAN_DN, +self.dm_password) +replication.wait_for_entry(remote_ldap, service_dn, timeout=60) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 03380b8d0e..9dcf903f45 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -830,13 +830,13 @@ def install(installer): http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( -realm_name, host_name, domain_name, +realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( -realm_name, host_name, domain_name, +realm_name, host_name, domain_name, dm_password, subject_base=options.subject_base,
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using HonzaCholasta commented: """ @felipevolpone, that is a bad idea. Calling the API instead of doing a direct LDAP search would degrade performace (currently everything is done in a single LDAP search, with API calls it will be *at least* one LDAP search per owner class) and offers less flexibility (the current code allows you to find *any* LDAP entry which refers to a certificate, with API calls you are limited to whatever is defined in the API). The PR currently breaks the `--user` and `--host` options, because they no longer expect a user name and host name, but principal names (as @martbab already pointed out). """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-305090643 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][-ack] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org