[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/13] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, ni
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/14] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, ni
[Freeipa-devel] [freeipa PR#769][comment] test_caless: add pkinit option and test it
URL: https://github.com/freeipa/freeipa/pull/769 Title: #769: test_caless: add pkinit option and test it HonzaCholasta commented: """ @stlaz & @Rezney, kind permission given. """ See the full comment at https://github.com/freeipa/freeipa/pull/769#issuecomment-30231 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ No problem, thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303311812 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][-ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ I have already "solved" this by changing the permissions of the cert file in the `renew_kdc_cert`. Your solution is definitely better, please remove the chmod call from `renew_kdc_cert`. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303295791 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#625][closed] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Author: HonzaCholasta Title: #625: [RFC] remote plugins: add option to force compat plugins Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/625/head:pr625 git checkout pr625 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#863][closed] [ipa-4-5] Add CommonNameToSANDefault to default cert profile
URL: https://github.com/freeipa/freeipa/pull/863 Author: frasertweedale Title: #863: [ipa-4-5] Add CommonNameToSANDefault to default cert profile Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/863/head:pr863 git checkout pr863 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#859][closed] Add CommonNameToSANDefault to default cert profile
URL: https://github.com/freeipa/freeipa/pull/859 Author: frasertweedale Title: #859: Add CommonNameToSANDefault to default cert profile Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/859/head:pr859 git checkout pr859 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#771][closed] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][synchronized] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801
Author: HonzaCholasta
Title: #801: httpinstance: wait until the service entry is replicated
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/801/head:pr801
git checkout pr801
From 780559ef4dab3a5b1ff6e774bdb405c16af06a39 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 22 May 2017 08:15:14 +
Subject: [PATCH] httpinstance: wait until the service entry is replicated
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.
This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.
https://pagure.io/freeipa/issue/6867
---
ipaserver/install/httpinstance.py | 29 +++--
ipaserver/install/server/install.py| 4 ++--
ipaserver/install/server/replicainstall.py | 5 +++--
3 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 608652033e..555c82213c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -32,9 +32,11 @@
from augeas import Augeas
from ipalib.install import certmonger
+from ipapython import ipaldap
from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
EXTERNAL_CA_TRUST_FLAGS,
TRUSTED_PEER_TRUST_FLAGS)
+from ipaserver.install import replication
from ipaserver.install import service
from ipaserver.install import certs
from ipaserver.install import installutils
@@ -120,12 +122,15 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert',
subject_base = ipautil.dn_attribute_property('_subject_base')
-def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
+def create_instance(self, realm, fqdn, domain_name, dm_password=None,
+pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
-ca_is_configured=None, promote=False):
+ca_is_configured=None, promote=False,
+master_fqdn=None):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
+self.dm_password = dm_password
self.suffix = ipautil.realm_to_suffix(self.realm)
self.pkcs12_info = pkcs12_info
self.dercert = None
@@ -141,6 +146,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
if ca_is_configured is not None:
self.ca_is_configured = ca_is_configured
self.promote = promote
+self.master_fqdn = master_fqdn
self.step("stopping httpd", self.__stop)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
@@ -570,3 +576,22 @@ def start_tracking_certificates(self):
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR)
db.track_server_cert(self.cert_nickname, self.principal,
db.passwd_fname, 'restart_httpd')
+
+def request_service_keytab(self):
+super(HTTPInstance, self).request_service_keytab()
+
+if self.master_fqdn is not None:
+service_dn = DN(('krbprincipalname', self.principal),
+api.env.container_service,
+self.suffix)
+
+ldap_uri = ipaldap.get_ldap_uri(self.master_fqdn)
+with ipaldap.LDAPClient(ldap_uri,
+start_tls=not self.promote,
+cacert=paths.IPA_CA_CRT) as remote_ldap:
+if self.promote:
+remote_ldap.gssapi_bind()
+else:
+remote_ldap.simple_bind(ipaldap.DIRMAN_DN,
+self.dm_password)
+replication.wait_for_entry(remote_ldap, service_dn, timeout=60)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 03380b8d0e..9dcf903f45 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -830,13 +830,13 @@ def install(installer):
http = httpinstance.HTTPInstance(fstore)
if options.http_cert_files:
http.create_instance(
-realm_name, host_name, domain_name,
+realm_name, host_name, domain_name, dm_password,
pkcs12_info=http_pkcs12_info, subject_base=options.subject_base,
auto_redirect=not options.no_ui_redirect,
ca_is_configured=setup_ca)
else:
http.create_instance(
-realm_name, host_name, domain_name,
+realm_name, host_name, domain_name, dm_password,
subject_base=options.subject_base,
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using HonzaCholasta commented: """ @felipevolpone, that is a bad idea. Calling the API instead of doing a direct LDAP search would degrade performace (currently everything is done in a single LDAP search, with API calls it will be *at least* one LDAP search per owner class) and offers less flexibility (the current code allows you to find *any* LDAP entry which refers to a certificate, with API calls you are limited to whatever is defined in the API). The PR currently breaks the `--user` and `--host` options, because they no longer expect a user name and host name, but principal names (as @martbab already pointed out). """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-305090643 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][-ack] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
