Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore
Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711. Honza Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup. Updated patch attached. -- Jan Cholasta From f61c3b242e9eb83fa585b091da4d60b7262d124f Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 10 Nov 2014 16:24:22 + Subject: [PATCH] Fix CA certificate backup and restore Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit. Create /etc/ipa/nssdb after restore if necessary. https://fedorahosted.org/freeipa/ticket/4711 --- ipaplatform/base/paths.py| 2 +- ipaplatform/base/tasks.py| 9 + ipaplatform/redhat/tasks.py | 43 ipaserver/install/ipa_backup.py | 2 ++ ipaserver/install/ipa_restore.py | 35 +++- 5 files changed, 67 insertions(+), 24 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index af50262..e28147a 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -92,7 +92,7 @@ class BasePathNamespace(object): PAM_LDAP_CONF = /etc/pam_ldap.conf PASSWD = /etc/passwd ETC_PKI_CA_DIR = /etc/pki-ca -SYSTEMWIDE_CA_STORE = /etc/pki/ca-trust/source/anchors/ +SYSTEMWIDE_IPA_CA_CRT = /etc/pki/ca-trust/source/anchors/ipa-ca.crt IPA_P11_KIT = /etc/pki/ca-trust/source/ipa.p11-kit NSS_DB_DIR = /etc/pki/nssdb PKI_TOMCAT = /etc/pki/pki-tomcat diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index f2ba81f..9b15119 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -55,6 +55,15 @@ class BaseTaskNamespace(object): return +def reload_systemwide_ca_store(self): + +Reloads the systemwide CA store. + +Returns True if the operation succeeded, False otherwise. + + +return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): Adds CA certificates from 'ca_certs' to the systemwide CA store diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 3f5fc90..d0e3cde 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace): auth_config.add_option(nostart) auth_config.execute() +def reload_systemwide_ca_store(self): +try: +ipautil.run([paths.UPDATE_CA_TRUST]) +except CalledProcessError, e: +root_logger.error( +Could not update systemwide CA trust database: %s, e) +return False +else: +root_logger.info(Systemwide CA database updated.) +return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): -new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') +new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT if os.path.exists(new_cacert_path): try: @@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace): f.close() # Add the CA to the systemwide CA trust database -try: -ipautil.run([paths.UPDATE_CA_TRUST]) -except CalledProcessError, e: -root_logger.info(Failed to add CA to the systemwide - CA trust database: %s % str(e)) -else: -root_logger.info('Added the CA to the systemwide CA trust ' - 'database.') -return True +if not self.reload_systemwide_ca_store(): +return False -return False +return True def remove_ca_certs_from_systemwide_ca_store(self): -ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') +result = True update = False # Remove CA cert from systemwide store -for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt): +for new_cacert_path in (paths.IPA_P11_KIT, +paths.SYSTEMWIDE_IPA_CA_CRT): if not os.path.exists(new_cacert_path): continue try: @@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace): except OSError, e: root_logger.error( Could not remove %s: %s, new_cacert_path, e) +result = False else: update = True if update: -try: -ipautil.run([paths.UPDATE_CA_TRUST]) -except CalledProcessError, e: -root_logger.error( -Could not update systemwide CA trust database: %s, e) +if not self.reload_systemwide_ca_store(): return False -else: -root_logger.info(Systemwide CA database updated.) -return True -return False +return
Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore
On 11/11/2014 09:52 AM, Jan Cholasta wrote: Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711. Honza Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup. Updated patch attached. Looks good ACK, pushed to: master: 2639997dfee43d66e94ef9b5441289816c465e7d ipa-4-1: 7c2aad17da8bd5f50b9c1409f91c413bc454ce28 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711. Honza -- Jan Cholasta From 5c00f80cce0e0952252df4f7ec3922d71e8f2cc9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 10 Nov 2014 16:24:22 + Subject: [PATCH] Fix CA certificate backup and restore Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit. Create /etc/ipa/nssdb after restore if necessary. https://fedorahosted.org/freeipa/ticket/4711 --- ipaplatform/base/paths.py| 2 +- ipaplatform/base/tasks.py| 9 + ipaplatform/redhat/tasks.py | 43 ipaserver/install/ipa_backup.py | 1 + ipaserver/install/ipa_restore.py | 35 +++- 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index af50262..e28147a 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -92,7 +92,7 @@ class BasePathNamespace(object): PAM_LDAP_CONF = /etc/pam_ldap.conf PASSWD = /etc/passwd ETC_PKI_CA_DIR = /etc/pki-ca -SYSTEMWIDE_CA_STORE = /etc/pki/ca-trust/source/anchors/ +SYSTEMWIDE_IPA_CA_CRT = /etc/pki/ca-trust/source/anchors/ipa-ca.crt IPA_P11_KIT = /etc/pki/ca-trust/source/ipa.p11-kit NSS_DB_DIR = /etc/pki/nssdb PKI_TOMCAT = /etc/pki/pki-tomcat diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index f2ba81f..9b15119 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -55,6 +55,15 @@ class BaseTaskNamespace(object): return +def reload_systemwide_ca_store(self): + +Reloads the systemwide CA store. + +Returns True if the operation succeeded, False otherwise. + + +return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): Adds CA certificates from 'ca_certs' to the systemwide CA store diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 3f5fc90..d0e3cde 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace): auth_config.add_option(nostart) auth_config.execute() +def reload_systemwide_ca_store(self): +try: +ipautil.run([paths.UPDATE_CA_TRUST]) +except CalledProcessError, e: +root_logger.error( +Could not update systemwide CA trust database: %s, e) +return False +else: +root_logger.info(Systemwide CA database updated.) +return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): -new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') +new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT if os.path.exists(new_cacert_path): try: @@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace): f.close() # Add the CA to the systemwide CA trust database -try: -ipautil.run([paths.UPDATE_CA_TRUST]) -except CalledProcessError, e: -root_logger.info(Failed to add CA to the systemwide - CA trust database: %s % str(e)) -else: -root_logger.info('Added the CA to the systemwide CA trust ' - 'database.') -return True +if not self.reload_systemwide_ca_store(): +return False -return False +return True def remove_ca_certs_from_systemwide_ca_store(self): -ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') +result = True update = False # Remove CA cert from systemwide store -for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt): +for new_cacert_path in (paths.IPA_P11_KIT, +paths.SYSTEMWIDE_IPA_CA_CRT): if not os.path.exists(new_cacert_path): continue try: @@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace): except OSError, e: root_logger.error( Could not remove %s: %s, new_cacert_path, e) +result = False else: update = True if update: -try: -ipautil.run([paths.UPDATE_CA_TRUST]) -except CalledProcessError, e: -root_logger.error( -Could not update systemwide CA trust database: %s, e) +if not self.reload_systemwide_ca_store(): return False -else: -root_logger.info(Systemwide CA database updated.) -return True -return False +return result def backup_and_replace_hostname(self, fstore, statestore, hostname): old_hostname = socket.gethostname() diff --git